CVE-2026-44306 Overview
CVE-2026-44306 is a user enumeration vulnerability in Statamic, a Laravel and Git powered content management system (CMS). The forgot password forms returned responses that differed depending on whether an account existed for a submitted email address. An unauthenticated remote attacker can exploit this behavior to enumerate valid user accounts. Confirmed valid accounts enable follow-up credential-based attacks such as password spraying, phishing, and credential stuffing. The issue is classified under [CWE-204] (Observable Response Discrepancy) and is fixed in Statamic versions 5.73.21 and 6.15.0.
Critical Impact
Unauthenticated attackers can enumerate valid Statamic user accounts through the forgot password endpoint, expanding the attack surface for subsequent credential attacks.
Affected Products
- Statamic CMS versions prior to 5.73.21
- Statamic CMS versions prior to 6.15.0 in the 6.x branch
- Laravel-based deployments running affected Statamic releases
Discovery Timeline
- 2026-05-12 - CVE-2026-44306 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44306
Vulnerability Analysis
The vulnerability resides in the forgot password workflow exposed by Statamic's authentication scaffolding. When a user submits an email address to request a password reset, the application produces observable differences in its response based on whether the address corresponds to a registered account. These differences can include distinct response bodies, status codes, redirect targets, flash messages, or measurable timing variations.
An attacker can script HTTP requests against the forgot password endpoint with a list of candidate email addresses. By comparing responses, the attacker builds an accurate inventory of valid accounts without authenticating. While the vulnerability itself does not expose credentials or content, it materially reduces the cost of subsequent attacks against the identified accounts.
Root Cause
The root cause is an information disclosure pattern tracked as [CWE-204] Observable Response Discrepancy. Secure password reset flows must return a uniform response for every submission, regardless of whether the email maps to a real account. Statamic releases prior to 5.73.21 and 6.15.0 did not normalize these responses, allowing an attacker to distinguish valid from invalid email addresses.
Attack Vector
Exploitation requires only network access to the Statamic login surface. No authentication or user interaction is needed. An attacker sends crafted HTTP POST requests to the password reset endpoint and parses the responses for enumeration signals. See the GitHub Security Advisory GHSA-m24v-f7g5-gq67 for vendor technical details.
Detection Methods for CVE-2026-44306
Indicators of Compromise
- High-volume POST requests from a single source IP to the Statamic forgot password endpoint within a short window.
- Sequential requests submitting many distinct email addresses without follow-through password reset completions.
- Requests originating from anonymizing infrastructure such as Tor exit nodes, residential proxies, or known scraping services.
Detection Strategies
- Inspect web server and application logs for repeated requests to the password reset route with varying email parameters.
- Correlate forgot password traffic with subsequent failed login attempts against the same accounts to identify enumeration followed by credential attacks.
- Apply rate-limit threshold alerts on the password reset endpoint and trigger when requests exceed expected baselines.
Monitoring Recommendations
- Forward Statamic and reverse-proxy access logs to a centralized analytics platform for retention and correlation.
- Track unique email addresses submitted per source IP per hour as a behavioral metric.
- Alert on User-Agent anomalies, missing Referer headers, and scripted request patterns against authentication endpoints.
How to Mitigate CVE-2026-44306
Immediate Actions Required
- Upgrade Statamic to version 5.73.21 for 5.x deployments or 6.15.0 for 6.x deployments.
- Audit recent web logs for indicators of mass forgot password submissions and identify potentially enumerated accounts.
- Enforce multi-factor authentication for all administrative and editorial accounts to reduce the value of enumerated identifiers.
Patch Information
The Statamic maintainers fixed the vulnerability in releases 5.73.21 and 6.15.0 by normalizing forgot password responses so they no longer differ based on account existence. Upgrade instructions and release notes are available in the GitHub Security Advisory GHSA-m24v-f7g5-gq67.
Workarounds
- Place the forgot password endpoint behind a Web Application Firewall (WAF) rule that rate-limits requests per source IP and per session.
- Add CAPTCHA or proof-of-work challenges to the forgot password form to deter automated enumeration.
- Restrict administrative authentication endpoints to known IP ranges or VPN-protected networks where feasible until patches are deployed.
# Configuration example: upgrade Statamic via Composer
composer require statamic/cms:^5.73.21 --update-with-dependencies
# or for the 6.x branch
composer require statamic/cms:^6.15.0 --update-with-dependencies
php artisan view:clear
php artisan config:clear
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
