VYPR
← All advisories
High severityNVD Advisory· Published Feb 27, 2026· Updated Mar 2, 2026

Statamic allows Authenticated Control Panel users to escalate privileges via elevated session bypass

CVE-2026-27939

Description

Statmatic is a Laravel and Git powered content management system (CMS). Starting in version 6.0.0 and prior to version 6.4.0, Authenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allow access to sensitive operations and, depending on the user’s existing permissions, may lead to privilege escalation. This has been fixed in 6.4.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated users of Statmatic CMS can bypass privilege verification steps via manipulated redirects, potentially escalating privileges; fixed in version 6.4.0.

Vulnerability

Overview

CVE-2026-27939 affects Statmatic CMS versions 6.0.0 through 6.4.0. The vulnerability allows authenticated Control Panel users to obtain elevated privileges without completing the intended verification step [1]. The root cause lies in insufficient validation of redirect URLs during authentication and form handling, which could be exploited to bypass security checks [2].

Exploitation

Conditions

An attacker must have valid credentials and access to the Statmatic Control Panel. The attack complexity is low, requiring no special network position beyond normal user access. By crafting a malicious redirect request, the attacker can skip the verification step that would normally restrict privilege escalation [4].

Impact

Successful exploitation can lead to privilege escalation, granting the attacker access to sensitive operations and administrative functions that exceed their original permissions. The severity depends on the attacker's existing role, but in worst-case scenarios, full control over the CMS may be achieved [1][4].

Mitigation

The issue has been patched in Statmatic CMS version 6.4.0. Users are strongly advised to upgrade immediately. The fix includes hardening redirect validation to prevent external or unauthorized redirects that could bypass verification [2]. No workarounds have been published.

References
  1. NVD - CVE-2026-27939
  2. [5.x] Harden redirects (#14099) · statamic/cms@8639ef9
  3. Privilege escalation via elevated session bypass

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
statamic/cmsPackagist
>= 6.0.0, < 6.4.06.4.0

Affected products

2

Patches

1
8639ef96217e

[5.x] Harden redirects (#14099)

https://github.com/statamic/cmsJason VargaFeb 27, 2026via ghsa
commit
4 files changed · +63 3
  • src/Exceptions/Concerns/RendersControlPanelExceptions.php+2 1 modified
    @@ -3,6 +3,7 @@
 namespace Statamic\Exceptions\Concerns;
 
 use Illuminate\Auth\Access\AuthorizationException as IlluminateAuthException;
+use Statamic\Facades\URL;
 
 trait RendersControlPanelExceptions
 {
@@ -21,7 +22,7 @@ protected function getAuthExceptionRedirectUrl()
 
         // If we came to this URL from another, we'll send them back, but not
         // if it was the login page otherwise there'd be a redirect loop.
-        if ($referrer && $referrer != cp_route('login')) {
+        if ($referrer && $referrer != cp_route('login') && ! URL::isExternalToApplication($referrer)) {
             return $referrer;
         }
  • src/Http/Controllers/FormController.php+6 2 modified
    @@ -124,7 +124,9 @@ private function formFailure($params, $errors, $form)
 
         $redirect = Arr::get($params, '_error_redirect');
 
-        $response = $redirect ? redirect($redirect) : back();
+        $response = $redirect && ! \Statamic\Facades\URL::isExternalToApplication($redirect)
+            ? redirect($redirect)
+            : back();
 
         return $response->withInput()->withErrors($errors, 'form.'.$form);
     }
@@ -152,7 +154,9 @@ private function formSuccess($params, $submission, $silentFailure = false)
             ]);
         }
 
-        $response = $redirect ? redirect($redirect) : back();
+        $response = $redirect && ! \Statamic\Facades\URL::isExternalToApplication($redirect)
+            ? redirect($redirect)
+            : back();
 
         if (! \Statamic\Facades\URL::isExternal($redirect)) {
             session()->flash("form.{$submission->form()->handle()}.success", __('Submission successful.'));
  • tests/CP/AuthRedirectTest.php+14 0 modified
    @@ -68,6 +68,20 @@ public function it_redirects_somewhere_if_the_referrer_was_the_login_page()
             ->assertSessionHas(['error' => "Can't touch this."]);
     }
 
+    #[Test]
+    public function it_does_not_redirect_to_external_referrer()
+    {
+        $this->setTestRoles(['test' => ['access cp']]);
+        $user = tap(User::make()->assignRole('test'))->save();
+
+        $this
+            ->actingAs($user)
+            ->withHeaders(['referer' => 'https://external.com'])
+            ->get('/cp/hammertime')
+            ->assertRedirect(cp_route('index'))
+            ->assertSessionHas(['error' => "Can't touch this."]);
+    }
+
     #[Test]
     public function it_redirects_to_unauthorized_view_if_there_would_be_a_redirect_loop()
     {
  • tests/Tags/Form/FormCreateTest.php+41 0 modified
    @@ -677,6 +677,24 @@ public function it_will_submit_form_and_follow_custom_redirect_with_success()
         $this->assertStringContainsString('<div class="analytics"></div>', $output);
     }
 
+    #[Test]
+    public function it_does_not_follow_external_redirect_on_success()
+    {
+        $this->assertEmpty(Form::find('contact')->submissions());
+
+        $this
+            ->from('/contact')
+            ->post('/!/forms/contact', [
+                'email' => 'san@holo.com',
+                'message' => 'hello',
+                '_redirect' => 'https://evil.com/phishing',
+            ])
+            ->assertSessionHasNoErrors()
+            ->assertLocation('/contact');
+
+        $this->assertCount(1, Form::find('contact')->submissions());
+    }
+
     #[Test]
     public function it_will_submit_form_with_honeypot_filled_and_render_fake_success()
     {
@@ -753,6 +771,29 @@ public function it_wont_submit_form_and_follow_custom_redirect_with_errors()
         $this->assertEmpty($success[1]);
     }
 
+    #[Test]
+    public function it_does_not_follow_external_error_redirect()
+    {
+        $this->assertEmpty(Form::find('contact')->submissions());
+
+        Event::listen(function (\Statamic\Events\FormSubmitted $event) {
+            throw ValidationException::withMessages(['custom' => 'This is a custom message']);
+        });
+
+        $this
+            ->from('/contact')
+            ->post('/!/forms/contact', [
+                '_error_redirect' => 'https://evil.com/phishing',
+                'name' => 'Hansolo',
+                'email' => 'san@holo.com',
+                'message' => 'hello',
+            ])
+            ->assertSessionHasErrors(['custom'], null, 'form.contact')
+            ->assertLocation('/contact');
+
+        $this->assertCount(0, Form::find('contact')->submissions());
+    }
+
     #[Test]
     public function it_will_use_redirect_query_param_off_url()
     {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.