← back
CVE-2026-27939

Statamic allows Authenticated Control Panel users to escalate privileges via elevated session bypass

CVSS 8.8 HIGHEPSS 0.4%CWE-287
Statmatic is a Laravel and Git powered content management system (CMS). Starting in version 6.0.0 and prior to version 6.4.0, Authenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allow access to sensitive operations and, depending on the user’s existing permissions, may lead to privilege escalation. This has been fixed in 6.4.0.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
statamic · cms

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/statamic/cms/commit/8639ef96217eaa682bc42e8a62769cb7c6a85d3ahttps://github.com/statamic/cms/security/advisories/GHSA-rw9x-pxqx-q789