CVE-2026-28424: Statamic's missing authorization allows access to email addresses

March 1, 2026

User email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the “view users” permission.

References

github.com/advisories/GHSA-w878-f8c6-7r63
github.com/statamic/cms
github.com/statamic/cms/releases/tag/v5.73.11
github.com/statamic/cms/releases/tag/v6.4.0
github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63
nvd.nist.gov/vuln/detail/CVE-2026-28424

Code Behaviors & Features

Detect and mitigate CVE-2026-28424 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →