CVE-2026-41175
Improper Access Control in Statamic CMS Causes Data Deletion
Publication date: 2026-04-22
Last updated on: 2026-04-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| statamic | statamic | to 5.73.20 (exc) |
| statamic | statamic | From 6.0.0 (inc) to 6.13.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-470 | The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Statamic allows for the loss of content, assets, and user accounts through manipulation of query parameters or GraphQL queries. This could lead to unauthorized deletion or alteration of data.
Such data loss or unauthorized access could impact compliance with regulations like GDPR or HIPAA, which require protection of personal data and maintaining data integrity and availability.
Specifically, if user accounts or personal data are deleted or altered without authorization, it may violate data protection and security requirements mandated by these standards.
However, exploitation requires certain conditions such as minimal permissions in the Control Panel or enabling REST/GraphQL APIs without authentication, which may mitigate risk if properly configured.
Can you explain this vulnerability to me?
This vulnerability affects Statamic, a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on the Control Panel and REST API endpoints, or arguments in GraphQL queries, could lead to the loss of content, assets, and user accounts.
Exploitation on the Control Panel requires authentication but only minimal permissions, such as "view entries" permission to delete entries or "view users" permission to delete users. The REST and GraphQL API exploits do not require any permissions but these APIs are not enabled by default. To be vulnerable via REST or GraphQL, these APIs must be explicitly enabled without authentication and with specific resources enabled.
This vulnerability has been fixed in Statamic versions 5.73.20 and 6.13.0.
How can this vulnerability impact me? :
The vulnerability can lead to the loss of important data including content, assets, and user accounts within the Statamic CMS.
If exploited via the Control Panel, an attacker with minimal permissions can delete entries or users. If exploited via the REST or GraphQL APIs (when enabled without authentication), an attacker can cause similar damage without any permissions.
This can result in significant disruption of website operations, data loss, and potential compromise of user management.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Statamic to version 5.73.20 or 6.13.0 or later.
Additionally, ensure that the REST and GraphQL APIs are not enabled without authentication, as these endpoints can be exploited without permissions if enabled improperly.
Limit Control Panel user permissions to only what is necessary, since even minimal permissions like "view entries" or "view users" can be abused to delete content or users.