CVE-2026-28424 is a security vulnerability classified under CWE-862 (Missing Authorization) affecting the Statamic content management system (CMS), which is built on Laravel and integrates Git for content management. The flaw exists in versions prior to 5.73.11 and between 6.0.0 and 6.4.0, where the user fieldtype’s data endpoint improperly includes email addresses of control panel users in its responses. This occurs even when the requesting user lacks the 'view users' permission, indicating a failure in enforcing proper authorization checks. The vulnerability allows authenticated users with limited privileges to access sensitive user email information, potentially enabling targeted phishing, social engineering, or further reconnaissance attacks. The vulnerability does not allow modification of data or disruption of service, thus impacting confidentiality but not integrity or availability. The issue was addressed and fixed in Statamic versions 5.73.11 and 6.4.0 by enforcing correct permission checks on the data endpoint. No public exploits have been reported to date, but the vulnerability's presence in a popular CMS component makes it a notable risk for organizations relying on affected versions.

The primary impact of CVE-2026-28424 is the unauthorized disclosure of control panel user email addresses, which compromises user confidentiality. This exposure can facilitate targeted phishing campaigns, spear-phishing, or social engineering attacks against administrative or privileged users, potentially leading to further compromise of organizational systems. While the vulnerability does not allow direct modification of data or denial of service, the leakage of sensitive user information can be a stepping stone for attackers to escalate privileges or gain unauthorized access through secondary attacks. Organizations using affected Statamic CMS versions face increased risk of user-targeted attacks, especially if email addresses are linked to critical administrative accounts. The vulnerability requires authenticated access with low privileges, which somewhat limits exposure but does not eliminate risk, particularly in environments with many users or where credentials may be shared or compromised. The absence of known exploits reduces immediate risk but does not preclude future exploitation.

To mitigate CVE-2026-28424, organizations should promptly upgrade Statamic CMS to versions 5.73.11 or 6.4.0 or later, where the authorization checks have been properly implemented. Until upgrades can be applied, administrators should restrict access to the control panel and limit user accounts to only those necessary, minimizing the number of users with any authenticated access. Implement strict role-based access controls and audit user permissions regularly to ensure no unnecessary privileges are granted. Monitoring access logs for unusual or unauthorized access attempts to the user fieldtype’s data endpoint can help detect exploitation attempts. Additionally, organizations should educate users about phishing risks, as leaked email addresses may be used in targeted attacks. Network-level controls such as web application firewalls (WAFs) can be configured to detect and block suspicious requests to the vulnerable endpoint. Finally, consider implementing multi-factor authentication (MFA) for all control panel users to reduce the risk of credential compromise.