[MEDIUM] Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources

PKSA-ykrx-2shq-vs9n CVE-2026-49288 GHSA-2497-6pwj-pwg7

Affected package: statamic/cms

Affected version: >=6.0.0,<6.20.0|<5.73.23

Reported by:
GitHub