Authorization Bypass in Statamic CMS Live Preview Feature
CVE-2026-54244
3.5LOW
What is CVE-2026-54244?
In Statamic CMS, a vulnerability exists in the Live Preview endpoint, allowing a Control Panel user with view permissions but without edit permissions to submit unauthorized content. This occurs because the preview system only checks view authorization, accepting and rendering user-supplied field values. This flaw could be exploited to generate a shareable Live Preview URL for content that the user is not allowed to access. Versions 5.74.0 and 6.20.3 contain fixes for this issue.
Affected Version(s)
cms < 5.74.0 < 5.74.0
cms >= 6.0.0, < 6.20.3 < 6.0.0, 6.20.3
