CVE-2026-41175 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: April 22, 2026
Statamic - Broken Access Control
Published: April 22, 2026Updated: April 22, 2026Remote Exploitable
Overview
Statamic < 5.73.20 and < 6.13.0 contain an authorization bypass caused by improper permission checks on Control Panel, REST API, and GraphQL endpoints, letting attackers delete content, assets, and user accounts, exploit requires minimal permissions or no authentication if APIs are enabled.
Severity & Score
Severity: High
CVSS Score: 8.1
Impact
Attackers can delete content, assets, and user accounts, causing data loss and disruption.
Mitigation
Update to versions 5.73.20 or 6.13.0 or later.
Related Resources
Details
- CVE ID
- CVE-2026-41175
- Severity
- High
- CVSS Score
- 8.1
- Type
- broken_access_control
- Status
- new
CWE
- CWE-470
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H