Authorization Bypass in Statamic CMS Live Preview Feature
CVE-2026-54244

3.5LOW

Key Information:

Vendor

Statamic

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-54244?

In Statamic CMS, a vulnerability exists in the Live Preview endpoint, allowing a Control Panel user with view permissions but without edit permissions to submit unauthorized content. This occurs because the preview system only checks view authorization, accepting and rendering user-supplied field values. This flaw could be exploited to generate a shareable Live Preview URL for content that the user is not allowed to access. Versions 5.74.0 and 6.20.3 contain fixes for this issue.

Affected Version(s)

cms < 5.74.0 < 5.74.0

cms >= 6.0.0, < 6.20.3 < 6.0.0, 6.20.3

References

CVSS V3.1

Score:
3.5
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.