Discoverability of user password hash in Statamic CMS
Description
Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confirm a single character of a user's password hash using a specially crafted regular expression filter in the users endpoint of the REST API. Multiple such requests can eventually uncover the entire hash. The hash is not present in the response, however the presence or absence of a result confirms if the character is in the right position. The API has throttling enabled by default, making this a time intensive task. Both the REST API and the users endpoint need to be enabled, as they are disabled by default. The issue has been fixed in versions 3.2.39 and above, and 3.3.2 and above.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Statamic CMS REST API allows attackers to confirm individual characters of user password hashes using crafted regex filters, leading to eventual full hash disclosure; fixed in versions 3.2.39 and 3.3.2.
Vulnerability
In Statamic CMS versions before 3.2.39 and 3.3.2, the users endpoint of the REST API allows filtering by regular expressions. An attacker can craft a regex that matches a single character of a user's password hash at a specific position. By observing whether results are returned, the attacker can confirm the character. This uses a timing side-channel via presence/absence of results. The vulnerability exists only if both the REST API and the users endpoint are enabled (disabled by default). [1]
Exploitation
The attacker needs network access to the API. No authentication is required if the users endpoint is publicly accessible. The attacker sends multiple requests, each testing a character position with a regex like ^a to confirm if the hash starts with 'a'. Due to default API throttling, this is time-intensive. The attacker must repeat for each character until the entire hash is revealed. [1]
Impact
Successful exploitation leads to full disclosure of the user's password hash. While the hash itself is not directly usable, it can be used in offline brute-force attacks. However, the impact is limited by the time required due to throttling and the need for the API to be enabled. [1]
Mitigation
The issue is fixed in Statamic versions 3.2.39 and 3.3.2 [1]. Administrators should upgrade to these versions or later. If upgrade is not immediate, disabling the REST API or the users endpoint prevents exploitation, as they are disabled by default. No other workarounds have been published. [2][3][4]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
statamic/cmsPackagist | < 3.2.39 | 3.2.39 |
statamic/cmsPackagist | >= 3.3.0, < 3.3.2 | 3.3.2 |
Affected products
2- statamic/cmsv5Range: < 3.2.39
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-qcgx-7p5f-hxvrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24784ghsaADVISORY
- github.com/statamic/cms/issues/5604ghsax_refsource_MISCWEB
- github.com/statamic/cms/pull/5568ghsax_refsource_MISCWEB
- github.com/statamic/cms/security/advisories/GHSA-qcgx-7p5f-hxvrghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.