php · statamic/cmsHeads-up
statamic/cms Live Preview Authorization Bypass Patched
Live Preview endpoint for existing entries and terms now enforces edit authorization when rendering caller-supplied field values, preventing users with view-onl
What changed
Live Preview endpoint for existing entries and terms now enforces edit authorization when rendering caller-supplied field values, preventing users with view-only permission from submitting unauthorized content.
Who it affects
Control Panel users with view but not edit permission on entries or terms, and any site using Live Preview.
What to do today
Upgrade statamic/cms to version 5.74.0 or 6.20.3 to patch the authorization bypass.
The trail
Collected→
Audited→
Written→
Published