High severityNVD Advisory· Published Feb 27, 2026· Updated Mar 2, 2026
Statamic allows Authenticated Control Panel users to escalate privileges via elevated session bypass
CVE-2026-27939
Description
Statmatic is a Laravel and Git powered content management system (CMS). Starting in version 6.0.0 and prior to version 6.4.0, Authenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allow access to sensitive operations and, depending on the user’s existing permissions, may lead to privilege escalation. This has been fixed in 6.4.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
statamic/cmsPackagist | >= 6.0.0, < 6.4.0 | 6.4.0 |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-rw9x-pxqx-q789ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27939ghsaADVISORY
- github.com/statamic/cms/commit/8639ef96217eaa682bc42e8a62769cb7c6a85d3aghsax_refsource_MISCWEB
- github.com/statamic/cms/security/advisories/GHSA-rw9x-pxqx-q789ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.