Listen to this Post
The Live Preview functionality in Statamic CMS is designed to give content editors a real‑time view of how an entry or term will appear before publishing. Under normal operation, when a user with edit permissions opens Live Preview, the endpoint receives the current field values from the client, renders the preview using the site’s front‑end templates, and returns the rendered HTML. The endpoint is also used to generate shareable preview URLs that can be distributed to stakeholders for review.
The vulnerability stems from an authorization flaw in how the Live Preview endpoint handles incoming requests. For existing entries and terms, the endpoint performs an authorization check that only verifies whether the authenticated user has view permission on the resource. It does not verify whether the user has edit permission or any other higher‑privileged capability. Crucially, the endpoint accepts and processes caller‑supplied field values via the request payload, rather than loading the canonical data from the database.
This creates a dangerous mismatch: a user who has only view permission (e.g., a content reviewer or a restricted role) can call the Live Preview endpoint, supply arbitrary field values for fields they would normally not be allowed to modify, and have those values rendered by the CMS. Because the endpoint only checks view permission, the request is accepted and processed. The rendered preview, which incorporates the attacker‑supplied data, is then returned to the user and can also be turned into a shareable Live Preview URL.
An attacker with view‑only access can therefore:
- Submit content for fields they are not authorized to edit (e.g., modify SEO metadata, custom fields, or even system fields).
- Generate a permanent shareable Live Preview URL that reflects the tampered content, potentially misleading reviewers or being used in social‑engineering attacks.
- Bypass the intended editorial workflow, as the endpoint treats the request as if it came from a legitimate editor.
The root cause is the incomplete authorization logic—checking view permission instead of the appropriate edit permission for write‑like operations—combined with the endpoint’s willingness to accept and render client‑supplied data. This is a classic case of Incorrect Authorization (CWE‑863). The vulnerability affects all Statamic CMS versions before 5.74.0 and all 6.x versions before 6.20.3. It was fixed in those releases by enforcing proper edit permission checks before processing caller‑supplied field values and by ensuring that the Live Preview endpoint only renders data that the user is actually allowed to modify.
DailyCVE Form:
Platform: Statamic CMS
Version: <5.74.0, 6.0.0-6.20.3
Vulnerability: Incorrect Authorization
Severity: Low
date: 2026-06-09
Prediction: 2026-06-26
What Undercode Say:
Analytics – The vulnerability was introduced in an unspecified earlier version and remained exploitable until the patches were released. GitHub reviewed and published the advisory on 2026-06-09, with the CVE formally assigned on 2026-06-26. The CVSS v3.1 base score is 4.3 (Medium), with attack vector Network, low complexity, low privileges required, and no user interaction. The EPSS score is 0.0, indicating a very low likelihood of active exploitation in the wild.
Bash Commands & Codes – To check your Statamic version, run:
composer show statamic/cms | grep versions
To test for the vulnerability (requires a valid session cookie and a view‑only user):
curl -X POST "https://your-statamic-site.com/cp/live-preview/entries/{entry_id}" \
-H "Cookie: statamic_session=..." \
-H "X-Requested-With: XMLHttpRequest" \
-H "Content-Type: application/json" \
-d '{"fields":{"":"Hacked ","content":"Injected content"}}'
If the endpoint returns a rendered preview with the injected values, the site is vulnerable.
Exploit:
An authenticated Control Panel user with only view permission on a given entry or term can call the Live Preview endpoint and supply arbitrary field values. The endpoint accepts these values, renders them using the front‑end templates, and returns the preview HTML. The attacker can then share the generated Live Preview URL with others, who will see the tampered content as if it were legitimate. This effectively allows a view‑only user to author and publish (in preview form) content they are not authorized to modify.
Protection:
Upgrade to Statamic CMS 5.74.0 or 6.20.3 or later. If immediate upgrading is not possible, restrict access to the Live Preview endpoint to only trusted editor roles, or disable the Live Preview feature for view‑only users via custom middleware until the patch can be applied.
Impact:
- Confidentiality: Low – the attacker can see how their injected content renders, but cannot view existing unpublished data.
- Integrity: Low – the attacker can modify the preview output and generate shareable URLs with false content, but the actual stored entry remains unchanged.
- Availability: None – the vulnerability does not affect system uptime.
- Business Impact: The flaw undermines the editorial review process, as view‑only reviewers can inject misleading content into previews, potentially leading to incorrect approvals or social‑engineering attacks. However, because the actual data is not persisted, the overall risk remains low.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
