CVE-2026-33177
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
Low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint.
Patches
This has been fixed in 5.73.14 and 6.7.0.
AnalysisAI
A low-privileged authorization bypass vulnerability in Statamic CMS allows Control Panel users to create taxonomy terms without proper authorization by submitting crafted requests to the field action processing endpoint with attacker-controlled field definitions. This vulnerability affects Statamic CMS versions prior to 5.73.14 and 6.7.0, enabling unauthorized data modification with a CVSS score of 4.3 and low attack complexity. No active exploitation or public proof-of-concept has been confirmed, but patches are readily available from the vendor.
Technical ContextAI
The vulnerability exists in the Statamic CMS field action processing endpoint, which handles form field operations. The root cause is classified as CWE-862 (Missing Authorization), indicating that authorization checks are bypassed when requests are directed to the field action endpoint rather than the standard taxonomy term creation endpoint. The field action processor fails to validate whether the authenticated user has permission to create taxonomy terms when field definitions are supplied externally, allowing low-privileged users to bypass the authorization controls that are properly enforced on the direct taxonomy creation route. This affects the Statamic CMS package as identified by the CPE strings pkg:composer/statamic_cms.
RemediationAI
Upgrade Statamic CMS to version 5.73.14 or later (for 5.x installations) or version 6.7.0 or later (for 6.x installations) immediately using composer update. For installations unable to patch immediately, restrict Control Panel access to trusted administrators only and audit recent taxonomy term creation logs for suspicious entries. Review user role definitions to ensure that low-privileged Control Panel users have minimal necessary permissions, and disable field action processing endpoints if not actively used. Complete patching guidance is available in the official security advisory at https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-wh3h-gvc4-cc2g