CVE-2026-41175
Received Received - Intake
Improper Access Control in Statamic CMS Causes Data Deletion

Publication date: 2026-04-22

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts. The Control Panel requires authentication with minimal permissions in order to exploit. e.g. "view entries" permission to delete entries, or "view users" permission to delete users, etc. The REST and GraphQL API exploits do not require any permissions, however neither are enabled by default. In order to be exploited, they would need to be explicitly enabled with no authentication configured, and the specific resources enabled too. Sites that enable the REST or GraphQL API without authentication should treat patching as critical priority. This has been fixed in 5.73.20 and 6.13.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41175
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
statamic statamic to 5.73.20 (exc)
statamic statamic From 6.0.0 (inc) to 6.13.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-470 The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Statamic allows for the loss of content, assets, and user accounts through manipulation of query parameters or GraphQL queries. This could lead to unauthorized deletion or alteration of data.

Such data loss or unauthorized access could impact compliance with regulations like GDPR or HIPAA, which require protection of personal data and maintaining data integrity and availability.

Specifically, if user accounts or personal data are deleted or altered without authorization, it may violate data protection and security requirements mandated by these standards.

However, exploitation requires certain conditions such as minimal permissions in the Control Panel or enabling REST/GraphQL APIs without authentication, which may mitigate risk if properly configured.

Executive Summary

This vulnerability affects Statamic, a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on the Control Panel and REST API endpoints, or arguments in GraphQL queries, could lead to the loss of content, assets, and user accounts.

Exploitation on the Control Panel requires authentication but only minimal permissions, such as "view entries" permission to delete entries or "view users" permission to delete users. The REST and GraphQL API exploits do not require any permissions but these APIs are not enabled by default. To be vulnerable via REST or GraphQL, these APIs must be explicitly enabled without authentication and with specific resources enabled.

This vulnerability has been fixed in Statamic versions 5.73.20 and 6.13.0.

Impact Analysis

The vulnerability can lead to the loss of important data including content, assets, and user accounts within the Statamic CMS.

If exploited via the Control Panel, an attacker with minimal permissions can delete entries or users. If exploited via the REST or GraphQL APIs (when enabled without authentication), an attacker can cause similar damage without any permissions.

This can result in significant disruption of website operations, data loss, and potential compromise of user management.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Statamic to version 5.73.20 or 6.13.0 or later.

Additionally, ensure that the REST and GraphQL APIs are not enabled without authentication, as these endpoints can be exploited without permissions if enabled improperly.

Limit Control Panel user permissions to only what is necessary, since even minimal permissions like "view entries" or "view users" can be abused to delete content or users.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41175. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart