Statamic's missing authorization allows access to email addresses
Description
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the "view users" permission. This has been fixed in 5.73.11 and 6.4.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Statmatic CMS prior to 5.73.11 and 6.4.0 exposed user email addresses via the user fieldtype data endpoint to unauthorized control panel users.
Vulnerability
Overview
CVE-2026-28424 describes an information disclosure vulnerability in Statmatic, a Laravel and Git powered CMS. The user fieldtype's data endpoint failed to properly enforce the "view users" permission, causing it to include user email addresses in responses even for control panel users who lacked that permission [1][4]. This missing authorization check allowed unauthorized access to sensitive user information.
Exploitation
An authenticated control panel user without the "view users" permission could query the user fieldtype data endpoint and receive email addresses of other users. The attack requires only a valid control panel session and does not require any special privileges beyond basic access [4]. The endpoint did not verify whether the requesting user had the necessary permission to view user details.
Impact
Successful exploitation leads to the exposure of user email addresses, which can be used for targeted phishing or social engineering attacks. While the vulnerability does not allow modification of data or privilege escalation, the confidentiality impact is significant as email addresses are considered private information [1][4].
Mitigation
The issue has been addressed in Statmatic versions 5.73.11 and 6.4.0. The fix ensures that the user fieldtype data endpoint respects the "view users" permission and only returns email addresses to authorized users [2][4]. Users are strongly advised to upgrade to the latest patched version to protect against this vulnerability.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
statamic/cmsPackagist | < 5.73.11 | 5.73.11 |
statamic/cmsPackagist | >= 6.0.0-alpha.1, < 6.4.0 | 6.4.0 |
Affected products
2- statamic/cmsv5Range: < 5.73.11
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-w878-f8c6-7r63ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28424ghsaADVISORY
- github.com/statamic/cms/releases/tag/v5.73.11ghsax_refsource_MISCWEB
- github.com/statamic/cms/releases/tag/v6.4.0ghsax_refsource_MISCWEB
- github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.