CVE-2026-54244: Statamic CMS's incorrect authorization lets view-only users submit Live Preview content reserved for editors

June 26, 2026

The Live Preview endpoint for existing entries and terms only checked view authorization, but it accepts and renders caller-supplied field values. A Control Panel user with view but not edit permission could therefore submit content they were not authorized to author and generate a shareable Live Preview URL rendering it.

References

github.com/advisories/GHSA-7mqq-4v55-88gh
github.com/statamic/cms/security/advisories/GHSA-7mqq-4v55-88gh
nvd.nist.gov/vuln/detail/CVE-2026-54244

Code Behaviors & Features

Detect and mitigate CVE-2026-54244 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →