Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
Statamic Exposes User Email Addresses in Control Panel
CVE-2026-28424
GHSA-w878-f8c6-7r63
Summary
Statamic's control panel may reveal email addresses of users who shouldn't see them. This happened when users without permission to view other users' info could access email addresses through the control panel. Statamic has fixed this issue in versions 5.73.11 and 6.4.0, so update to one of these versions to fix the problem.
What to do
- Update statamic cms to version 5.73.11.
- Update statamic cms to version 6.4.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| statamic | cms | <= 5.73.11 | 5.73.11 |
| statamic | cms | > 6.0.0-alpha.1 , <= 6.4.0 | 6.4.0 |
| statamic | statamic | <= 5.73.11 | – |
| statamic | statamic | > 6.0.0 , <= 6.4.0 | – |
Original title
Statamic's missing authorization allows access to email addresses
Original description
### Impact
User email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the “view users” permission.
### Patches
This has been fixed in 5.73.11 and 6.4.0.
User email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the “view users” permission.
### Patches
This has been fixed in 5.73.11 and 6.4.0.
nvd CVSS3.1
6.5
Vulnerability type
CWE-862
Missing Authorization
- https://nvd.nist.gov/vuln/detail/CVE-2026-28424
- https://github.com/advisories/GHSA-w878-f8c6-7r63
- https://github.com/statamic/cms/releases/tag/v5.73.11 Release Notes
- https://github.com/statamic/cms/releases/tag/v6.4.0 Release Notes
- https://github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63 Patch Vendor Advisory
Published: 1 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026