CVE-2026-33171
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
Authenticated Control Panel users could read arbitrary .json, .yaml, and .csv files from the server by manipulating the file dictionary's filename configuration parameter in the fieldtype's endpoint.
Patches
This has been fixed in 5.73.14 and 6.7.0.
AnalysisAI
Authenticated Control Panel users can read arbitrary JSON, YAML, and CSV files from the server by manipulating the filename parameter in the fieldtype endpoint, resulting in unauthorized information disclosure. The vulnerability requires valid authentication credentials and affects versions prior to 5.73.14 and 6.7.0. No patch is currently available for affected deployments.
Technical ContextAI
The vulnerability exists in Statamic CMS (pkg:composer/statamic_cms), a PHP-based headless content management system. The flaw resides in the fieldtype endpoint handler that processes the file dictionary's filename configuration parameter without proper input validation or path sanitization. This is a classic instance of CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, also known as Path Traversal). An attacker with valid Control Panel credentials can manipulate the filename parameter to traverse the server's directory structure using path traversal sequences (e.g., ../) to access files outside the intended directory. The vulnerability affects specific file types (JSON, YAML, CSV) that may contain sensitive configuration data, application secrets, or user information.
RemediationAI
Upgrade Statamic CMS to version 5.73.14 or later if running the 5.x branch, or to version 6.7.0 or later if running the 6.x branch. Apply the patch immediately through your package manager (Composer) by running composer require statamic/cms:^5.73.14 or composer require statamic/cms:^6.7.0 depending on your current version. As a temporary workaround pending patching, restrict Control Panel access to trusted IP addresses via firewall rules or reverse proxy configuration, implement least-privilege access controls to limit the number of users with Control Panel credentials, and monitor access logs for suspicious file read patterns. For environments where immediate patching is not feasible, consider disabling the affected fieldtype endpoint until an upgrade can be scheduled. Consult the vendor advisory at https://github.com/statamic/cms/security/advisories/GHSA-qm7r-wwq7-6f85 for additional context and implementation guidance.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-qm7r-wwq7-6f85