CVE-2026-41175 Overview
CVE-2026-41175 is a query parameter manipulation vulnerability in Statamic, a Laravel and Git powered content management system (CMS). This vulnerability allows attackers to manipulate query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, resulting in unauthorized deletion of content, assets, and user accounts.
Critical Impact
Exploitation can lead to complete loss of content, assets, and user accounts through unauthorized data deletion operations.
Affected Products
- Statamic CMS versions prior to 5.73.20
- Statamic CMS versions prior to 6.13.0
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-41175 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-41175
Vulnerability Analysis
This vulnerability is classified as CWE-470 (Use of Externally-Controlled Input to Select Classes or Code). The flaw exists in how Statamic handles query parameters across multiple interfaces including the Control Panel, REST API, and GraphQL API endpoints. Attackers can craft malicious query parameters or GraphQL arguments that bypass normal authorization checks, enabling destructive operations on resources they should not have access to modify or delete.
The Control Panel exploitation path requires authentication but only minimal permissions. For example, a user with only "view entries" permission could exploit this to delete entries, or a user with "view users" permission could delete user accounts. This represents a significant privilege escalation vector where read-only permissions can be leveraged for destructive write operations.
The REST and GraphQL API attack surfaces do not require any permissions by default, though these APIs are disabled out of the box. Sites that have explicitly enabled these APIs without configuring proper authentication are at critical risk.
Root Cause
The root cause stems from improper validation and sanitization of user-controlled query parameters and GraphQL arguments. The application fails to properly restrict the operations that can be performed based on the actual permissions granted, allowing parameter manipulation to trigger unauthorized actions. This class-selection vulnerability allows external input to influence code execution paths that should be restricted.
Attack Vector
The vulnerability is exploitable via network access with low attack complexity. Three distinct attack vectors exist:
Control Panel Attack: Requires authenticated access with minimal read permissions. Attackers manipulate query parameters on Control Panel endpoints to perform deletion operations beyond their authorized scope.
REST API Attack: If the REST API is enabled without authentication, attackers can craft malicious requests with manipulated parameters to delete resources without any credentials.
GraphQL API Attack: Similar to REST, if GraphQL is enabled without authentication, malicious query arguments can trigger unauthorized resource deletion.
The vulnerability affects data integrity and availability but does not directly expose confidential information.
Detection Methods for CVE-2026-41175
Indicators of Compromise
- Unexpected deletion of entries, assets, or user accounts in Statamic CMS
- Unusual query parameters in Control Panel request logs
- Anomalous REST API or GraphQL requests targeting resource endpoints
- User accounts with read-only permissions triggering write operations in audit logs
Detection Strategies
- Monitor Statamic Control Panel access logs for unusual query parameter patterns
- Implement Web Application Firewall (WAF) rules to detect parameter manipulation attempts
- Review GraphQL query logs for malformed or suspicious argument structures
- Audit user activity for permission escalation patterns where read permissions result in delete operations
Monitoring Recommendations
- Enable comprehensive logging for all Control Panel, REST API, and GraphQL endpoints
- Set up alerts for bulk deletion operations or unusual resource modification patterns
- Monitor authentication attempts and permission usage correlation
- Implement real-time detection for parameter injection patterns in API requests
How to Mitigate CVE-2026-41175
Immediate Actions Required
- Upgrade Statamic CMS to version 5.73.20 or later for the 5.x branch
- Upgrade Statamic CMS to version 6.13.0 or later for the 6.x branch
- If running REST or GraphQL APIs without authentication, treat patching as critical priority
- Review and audit current API authentication configurations
- Temporarily disable REST and GraphQL APIs if they are enabled without authentication and patching is not immediately possible
Patch Information
The vulnerability has been fixed in Statamic CMS versions 5.73.20 and 6.13.0. Detailed information about the security fix is available in the GitHub Security Advisory. Organizations should prioritize upgrading to these patched versions immediately.
Workarounds
- Disable REST API if not required by adding the appropriate configuration setting
- Disable GraphQL API if not actively used in your deployment
- Implement authentication requirements for all API endpoints before upgrading
- Restrict Control Panel access to trusted networks using firewall rules
- Apply principle of least privilege by removing unnecessary user permissions
# Configuration example - Disable APIs in Statamic config
# In config/statamic/api.php
'enabled' => false,
# In config/statamic/graphql.php
'enabled' => false,
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
