CVE-2026-28424 is a security vulnerability classified under CWE-862 (Missing Authorization) affecting Statamic CMS, a Laravel and Git-powered content management system. The flaw exists in versions prior to 5.73.11 and from 6.0.0 up to but not including 6.4.0. Specifically, the vulnerability arises from insufficient authorization checks on the user fieldtype’s data endpoint within the control panel. This endpoint inadvertently exposes email addresses of control panel users to requesters who lack the 'view users' permission. The issue is a direct consequence of missing or inadequate access control enforcement, allowing unauthorized users with some level of authenticated access (low privileges) to retrieve sensitive user information. The vulnerability does not permit modification or deletion of data, nor does it impact system availability, but it compromises confidentiality by leaking personally identifiable information (email addresses). The flaw can be exploited remotely over the network without requiring user interaction, making it easier for attackers with limited privileges to gather sensitive information. The vendor addressed this issue by implementing proper authorization checks in versions 5.73.11 and 6.4.0. No public exploits have been reported to date, but the vulnerability's nature makes it a potential target for reconnaissance and phishing campaigns. The CVSS v3.1 base score is 6.5, reflecting a medium severity rating due to the high confidentiality impact but limited scope and no integrity or availability impact.

The primary impact of CVE-2026-28424 is the unauthorized disclosure of email addresses of control panel users within Statamic CMS installations. This leakage can facilitate targeted phishing attacks, social engineering, and further reconnaissance by threat actors. Organizations relying on Statamic CMS for website or content management may inadvertently expose sensitive user information to unauthorized internal or external actors with low-level access. While the vulnerability does not allow direct system compromise or data manipulation, the exposure of email addresses can lead to secondary attacks that compromise organizational security posture. The impact is particularly significant for organizations with high-value or sensitive user accounts, such as government agencies, financial institutions, or enterprises with critical internal communications. Additionally, the vulnerability could erode user trust and violate privacy regulations if exploited. Since exploitation requires only low privileges and no user interaction, attackers who gain minimal access to the CMS could leverage this flaw to escalate their reconnaissance efforts. However, the absence of known exploits in the wild reduces immediate risk, though the vulnerability should be treated seriously given its potential for abuse.

To mitigate CVE-2026-28424, organizations should upgrade Statamic CMS to versions 5.73.11 or later, or 6.4.0 or later, where the authorization checks have been properly implemented. If immediate upgrading is not feasible, administrators should restrict access to the control panel and its endpoints to trusted users only, minimizing the number of users with any access privileges. Implement network-level controls such as IP whitelisting or VPN access to limit exposure of the CMS interface. Review and tighten user permissions to ensure that only necessary users have access to sensitive endpoints. Monitor logs for unusual access patterns to the user fieldtype’s data endpoint that might indicate exploitation attempts. Additionally, consider implementing web application firewalls (WAFs) with custom rules to detect and block unauthorized requests targeting this endpoint. Educate users about phishing risks, as leaked email addresses could be used in social engineering attacks. Regularly audit CMS configurations and user permissions to prevent privilege creep. Finally, maintain an incident response plan to quickly address any suspected data exposure.