CVE-2026-44306: Statamic CMS vulnerable to email enumeration via forgot password endpoint

May 6, 2026

Responses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could use this to enumerate valid users, which can aid in follow-up credential-based attacks.

References

github.com/advisories/GHSA-m24v-f7g5-gq67
github.com/statamic/cms
github.com/statamic/cms/security/advisories/GHSA-m24v-f7g5-gq67
nvd.nist.gov/vuln/detail/CVE-2026-44306

Code Behaviors & Features

Detect and mitigate CVE-2026-44306 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →