diff --git src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
index 9d7f85a..c047d06 100644
--- src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
+++ src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
@@ -137,7 +137,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 			'parent_exclude' => 'post_parent__not_in',
 			'search'         => 's',
 			'slug'           => 'name',
-			'status'         => 'post_status',
+			'status'         => 'post_status'
 		);
 
 		// For each known parameter which is both registered and present in the request,
@@ -1906,8 +1906,8 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 			'default'           => 'publish',
 			'description'       => __( 'Limit result set to posts assigned a specific status; can be comma-delimited list of status types.' ),
 			'enum'              => array_merge( array_keys( get_post_stati() ), array( 'any' ) ),
-			'sanitize_callback' => 'sanitize_key',
-			'type'              => 'string',
+			'sanitize_callback' => 'wp_parse_slug_list',
+			'type'              => 'array',
 			'validate_callback' => array( $this, 'validate_user_can_query_private_statuses' ),
 		);
 		$params['filter'] = array(
@@ -1946,7 +1946,7 @@ class WP_REST_Posts_Controller extends WP_REST_Controller {
 	 * @return WP_Error|boolean
 	 */
 	public function validate_user_can_query_private_statuses( $value, $request, $parameter ) {
-		if ( 'publish' === $value ) {
+		if ( 'publish' === $value || is_array( $value ) && count( 1 === $value ) && in_array( 'publish', $value, true ) ) {
 			return true;
 		}
 		$post_type_obj = get_post_type_object( $this->post_type );
diff --git tests/phpunit/tests/rest-api/rest-posts-controller.php tests/phpunit/tests/rest-api/rest-posts-controller.php
index 648d74f..34affe7 100644
--- tests/phpunit/tests/rest-api/rest-posts-controller.php
+++ tests/phpunit/tests/rest-api/rest-posts-controller.php
@@ -240,6 +240,36 @@ class WP_Test_REST_Posts_Controller extends WP_Test_REST_Post_Type_Controller_Te
 		$this->assertEquals( 1, count( $response->get_data() ) );
 	}
 
+	public function test_get_items_multiple_status_query_1() {
+		wp_set_current_user( 0 );
+		$this->factory->post->create( array( 'post_status' => 'draft' ) );
+
+		$request = new WP_REST_Request( 'GET', '/wp/v2/posts' );
+		$request->set_param( 'status', array( 'publish' ) );
+		$response = $this->server->dispatch( $request );
+		$this->assertEquals( 200, $response->get_status() );
+		$this->assertEquals( 1, count( $response->get_data() ) );
+
+		$request = new WP_REST_Request( 'GET', '/wp/v2/posts' );
+		$request->set_param( 'status', array( 'draft', 'post' ) );
+		$response = $this->server->dispatch( $request );
+		$this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
+
+		wp_set_current_user( $this->editor_id );
+
+		$request = new WP_REST_Request( 'GET', '/wp/v2/posts' );
+		$request->set_param( 'status', 'draft,publish' );
+		$response = $this->server->dispatch( $request );
+		$this->assertEquals( 200, $response->get_status() );
+		$this->assertEquals( 2, count( $response->get_data() ) );
+
+		$request = new WP_REST_Request( 'GET', '/wp/v2/posts' );
+		$request->set_param( 'status', array( 'draft', 'publish' ) );
+		$response = $this->server->dispatch( $request );
+		$this->assertEquals( 200, $response->get_status() );
+		$this->assertEquals( 2, count( $response->get_data() ) );
+	}
+
 	public function test_get_items_status_without_permissions() {
 		$draft_id = $this->factory->post->create( array(
 			'post_status' => 'draft',