CVE-2026-49288: Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources

June 26, 2026

An authenticated Control Panel user could view metadata and content for resources they don’t have permission to view, including entries, assets, users, roles, groups, and other configured resources. Depending on the resource, this could expose titles, custom field values, entry content, asset metadata, and the existence of users, roles, and groups. No data could be modified.

References

github.com/advisories/GHSA-2497-6pwj-pwg7
github.com/statamic/cms/security/advisories/GHSA-2497-6pwj-pwg7
nvd.nist.gov/vuln/detail/CVE-2026-49288

Code Behaviors & Features

Detect and mitigate CVE-2026-49288 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →