Moderate severityNVD Advisory· Published Feb 27, 2026· Updated Mar 2, 2026
Statamic's missing authorization allows access to email addresses
CVE-2026-28424
Description
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the "view users" permission. This has been fixed in 5.73.11 and 6.4.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
statamic/cmsPackagist | < 5.73.11 | 5.73.11 |
statamic/cmsPackagist | >= 6.0.0-alpha.1, < 6.4.0 | 6.4.0 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-w878-f8c6-7r63ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28424ghsaADVISORY
- github.com/statamic/cms/releases/tag/v5.73.11ghsax_refsource_MISCWEB
- github.com/statamic/cms/releases/tag/v6.4.0ghsax_refsource_MISCWEB
- github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.