Skip to main content

Statamic CMS CVE-2026-54244

LOW
Incorrect Authorization (CWE-863)
2026-06-26 https://github.com/statamic/cms GHSA-7mqq-4v55-88gh
3.5
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.5 LOW
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
vuln.today AI
3.5 LOW

PR:L confirmed since Control Panel account is required; UI:R because third-party must view the shared preview URL for meaningful impact; I:L only since no content is persisted or published.

3.1 AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 26, 2026 - 23:33 vuln.today
Analysis Generated
Jun 26, 2026 - 23:33 vuln.today

DescriptionGitHub Advisory

Impact

The Live Preview endpoint for existing entries and terms only checked view authorization, but it accepts and renders caller-supplied field values. A Control Panel user with view but not edit permission could therefore submit content they were not authorized to author and generate a shareable Live Preview URL rendering it.

Patches

This has been fixed in 5.74.0 and 6.20.3.

AnalysisAI

Incorrect authorization in Statamic CMS's Live Preview endpoint allows authenticated Control Panel users with view-only permissions to submit and render arbitrary field values they are not authorized to edit. By exploiting this flaw, a restricted user can generate a shareable Live Preview URL that displays unauthorized content as if authored through legitimate editorial workflow. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Control Panel with view-only account
Delivery
Identify target entry or term Live Preview endpoint
Exploit
Craft HTTP request with unauthorized caller-supplied field values
Execution
Submit request to render fabricated preview content
Persist
Obtain shareable Live Preview URL
Impact
Distribute URL to third parties to display unauthorized content

Vulnerability AssessmentAI

Exploitation Exploitation requires an active, authenticated Control Panel account with at minimum view permission on entries or terms - unauthenticated external access is not sufficient. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 3.1 score of 3.5 (Low) accurately reflects the constrained impact: exploitation requires a valid Control Panel account with at least view permission (PR:L), user interaction is needed for the preview URL to be viewed (UI:R), and the integrity impact is limited to generating a preview rendering - not actual content publication or database modification (I:L, C:N, A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A Control Panel user assigned a view-only role navigates to an existing entry's Live Preview endpoint and crafts an HTTP request that includes caller-supplied field values containing unauthorized or fabricated content. The endpoint renders this content and returns a shareable preview URL, which the attacker distributes externally to present misleading information under the appearance of the legitimate site's branding. …
Remediation Upgrade Statamic CMS to version 5.74.0 (for 5.x deployments) or 6.20.3 (for 6.x deployments), as confirmed by the vendor in the GitHub Security Advisory GHSA-7mqq-4v55-88gh at https://github.com/statamic/cms/security/advisories/GHSA-7mqq-4v55-88gh. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54244 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy