CVE-2026-27939:
Privilege escalation vulnerability in Statamic CMS versions 6.0.0 to 6.3.x allows authenticated users to bypass verification steps and gain elevated access.
Score
A numerical rating that indicates how dangerous this vulnerability is.
8.8High- Published Date:Feb 27, 2026
- CISA KEV Date:*No Data*
- Industries Affected:20
Threat Predictions
- EPSS Score:0.0
- EPSS Percentile:2%
Exploitability
- Score:2.8
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:LOW
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
Privilege escalation vulnerability in Statamic CMS versions 6.0.0 to 6.3.x allows authenticated users to bypass verification steps and gain elevated access.
Overview
Statamic CMS versions 6.0.0 to 6.3.x contain a security flaw that allows authenticated users to bypass certain verification steps, potentially leading to privilege escalation. The vulnerability, identified as CVE-2026-27939, has a CVSS v3.1 base score of 8.8 (High severity). It requires low attack complexity and privileges, with no user interaction needed. The attack vector is network-based, and the impact on confidentiality, integrity, and availability is high. The weakness is primarily associated with CWE-287, which relates to improper authentication.
Remediation
- To address this vulnerability, users of Statamic CMS should upgrade to version 6.4.0 or later. This version includes a fix for the privilege escalation issue. System administrators should prioritize this update, especially for installations accessible over networks. Additionally, it's recommended to review and tighten access controls for authenticated users in the Control Panel, and monitor for any suspicious activity that might indicate exploitation of this vulnerability.
References
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
