CVE-2026-27939
Published: 27 February 2026
Summary
CVE-2026-27939 is a high-severity Improper Authentication (CWE-287) vulnerability in Statamic Statamic. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-11 (Re-authentication) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely identification, reporting, and correction of flaws like CVE-2026-27939, directly preventing exploitation through patching to version 6.4.0 or later.
IA-11 mandates re-authentication for privileged functions, directly countering the CVE's bypass of the intended verification step for elevated privileges.
AC-6 enforces least privilege, limiting the impact of potential privilege escalation by ensuring authenticated Control Panel users have only necessary permissions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a post-authentication improper authentication flaw (CWE-287) that lets an already-authenticated Control Panel user bypass a verification step to obtain elevated privileges, directly enabling the Exploitation for Privilege Escalation technique (T1068).
NVD Description
Statmatic is a Laravel and Git powered content management system (CMS). Starting in version 6.0.0 and prior to version 6.4.0, Authenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allow…
more
access to sensitive operations and, depending on the user’s existing permissions, may lead to privilege escalation. This has been fixed in 6.4.0.
Deeper analysisAI
CVE-2026-27939 is an improper authentication vulnerability (CWE-287) in Statamic, a Laravel and Git-powered content management system (CMS). It affects versions 6.0.0 through 6.3.x, prior to the fixed release of 6.4.0. Authenticated Control Panel users can, under certain conditions, bypass the intended verification step to obtain elevated privileges, enabling access to sensitive operations and potential privilege escalation based on their existing permissions. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker with existing authenticated access to the Statamic Control Panel can exploit this issue remotely over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to perform unauthorized sensitive operations, leading to high impacts on confidentiality, integrity, and availability, including potential full privilege escalation depending on the user's baseline permissions.
The vulnerability has been addressed in Statamic version 6.4.0. Official mitigation details are available in the GitHub security advisory at https://github.com/statamic/cms/security/advisories/GHSA-rw9x-pxqx-q789 and the fixing commit at https://github.com/statamic/cms/commit/8639ef96217eaa682bc42e8a62769cb7c6a85d3a. Security practitioners should upgrade to 6.4.0 or later and review Control Panel user permissions.
Details
- CWE(s)