CVE-2026-27593 – This vulnerability in Statmatic CMS allows atta... (How to Fix)

Q: What is the severity of CVE-2026-27593?

CVE-2026-27593 has a CVSS score of 9.3 (CRITICAL). This vulnerability in Statmatic CMS allows attackers to hijack password reset tokens and take over user accounts. Attackers need a valid email address and must trick users into clicking malicious reset links. All Statmatic installations below versions 6.3.3 and 5.73.10 are affected.

📋 TL;DR

This vulnerability in Statmatic CMS allows attackers to hijack password reset tokens and take over user accounts. Attackers need a valid email address and must trick users into clicking malicious reset links. All Statmatic installations below versions 6.3.3 and 5.73.10 are affected.

💻 Affected Systems

Products:

Statmatic CMS

Versions: All versions below 6.3.3 (for v6) and below 5.73.10 (for v5)

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. Requires PHP/Laravel environment.

📦 What is this software?

Statamic by Statamic

View all CVEs affecting Statamic →

Statamic by Statamic

View all CVEs affecting Statamic →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover of any user, including administrators, leading to data theft, privilege escalation, and full system compromise.

🟠

Likely Case

Targeted account takeover of specific users, potentially leading to unauthorized access to sensitive content or administrative functions.

🟢

If Mitigated

Limited impact with proper user awareness training and monitoring, though risk remains if users click malicious links.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires social engineering to trick users into clicking malicious password reset links.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.3.3 or 5.73.10

Vendor Advisory: https://github.com/statamic/cms/releases/tag/v5.73.10

Restart Required: No

Instructions:

1. Backup your Statmatic installation. 2. Update to version 6.3.3 (if using v6) or 5.73.10 (if using v5). 3. Run 'composer update' if using Composer. 4. Clear Laravel cache with 'php artisan cache:clear'.

🔧 Temporary Workarounds

Disable password reset functionality

all

Temporarily disable the password reset feature to prevent exploitation

Modify routes or middleware to block /password/reset endpoints

Implement rate limiting on reset requests

all

Add rate limiting to password reset endpoints to reduce attack surface

Configure Laravel rate limiting middleware for password reset routes

🧯 If You Can't Patch

Implement multi-factor authentication for all user accounts
Monitor logs for unusual password reset activity and alert on suspicious patterns

🔍 How to Verify

Check if Vulnerable:

Check Statmatic version in composer.json or via 'php artisan statamic:version' command

Check Version:

php artisan statamic:version

Verify Fix Applied:

Confirm version is 6.3.3 or higher (for v6) or 5.73.10 or higher (for v5)

📡 Detection & Monitoring

Log Indicators:

Multiple password reset requests for same email from different IPs
Password reset success logs for users who didn't request reset

Network Indicators:

Unusual patterns of POST requests to /password/reset endpoints

SIEM Query:

source="web_logs" AND (uri_path="/password/reset" OR uri_path="/password/email") | stats count by src_ip, user_email

📊 Metadata

CVE ID: CVE-2026-27593

CVSS v3 Score: 9.3 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CWE: CWE-640

Published: February 24, 2026

Last Updated: February 25, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27593, you might also want to check these: