Skip to main content

CVE-2026-33177

MEDIUM
Missing Authorization (CWE-862)
2026-03-18 https://github.com/statamic/cms GHSA-wh3h-gvc4-cc2g
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 18, 2026 - 20:15 vuln.today
CVE Published
Mar 18, 2026 - 20:00 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

Impact

Low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint.

Patches

This has been fixed in 5.73.14 and 6.7.0.

AnalysisAI

A low-privileged authorization bypass vulnerability in Statamic CMS allows Control Panel users to create taxonomy terms without proper authorization by submitting crafted requests to the field action processing endpoint with attacker-controlled field definitions. This vulnerability affects Statamic CMS versions prior to 5.73.14 and 6.7.0, enabling unauthorized data modification with a CVSS score of 4.3 and low attack complexity. No active exploitation or public proof-of-concept has been confirmed, but patches are readily available from the vendor.

Technical ContextAI

The vulnerability exists in the Statamic CMS field action processing endpoint, which handles form field operations. The root cause is classified as CWE-862 (Missing Authorization), indicating that authorization checks are bypassed when requests are directed to the field action endpoint rather than the standard taxonomy term creation endpoint. The field action processor fails to validate whether the authenticated user has permission to create taxonomy terms when field definitions are supplied externally, allowing low-privileged users to bypass the authorization controls that are properly enforced on the direct taxonomy creation route. This affects the Statamic CMS package as identified by the CPE strings pkg:composer/statamic_cms.

RemediationAI

Upgrade Statamic CMS to version 5.73.14 or later (for 5.x installations) or version 6.7.0 or later (for 6.x installations) immediately using composer update. For installations unable to patch immediately, restrict Control Panel access to trusted administrators only and audit recent taxonomy term creation logs for suspicious entries. Review user role definitions to ensure that low-privileged Control Panel users have minimal necessary permissions, and disable field action processing endpoints if not actively used. Complete patching guidance is available in the official security advisory at https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g.

Share

CVE-2026-33177 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy