CVE-2026-33884
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
An authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for.
Patches
This has been fixed in 5.73.16 and 6.7.2.
AnalysisAI
Statamic CMS versions prior to 5.73.16 and 6.7.2 allow authenticated Control Panel users with live preview access to abuse live preview tokens to access restricted content beyond the token's intended scope. This is an authenticated privilege escalation affecting the Statamic CMS product (pkg:composer/statamic_cms) with a CVSS score of 4.3 and low complexity; no public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
The vulnerability exists in the Statamic CMS live preview functionality, a feature that generates time-limited tokens to allow authenticated Control Panel users to preview content in a restricted context. The root cause is classified under CWE-863 (Incorrect Authorization), indicating that the live preview token validation logic fails to properly enforce scope restrictions on the content accessible via the token. An authenticated user holding a live preview token can manipulate or reuse the token to access content resources that fall outside the token's original authorization boundary. The affected product is identified via CPE pkg:composer/statamic_cms, a PHP composer package powering the Statamic content management system.
RemediationAI
Upgrade Statamic CMS to version 5.73.16 or later if on the 5.x branch, or to version 6.7.2 or later if on the 6.x branch. These versions contain the vendor-released patch that corrects the live preview token authorization logic. Until patching is completed, restrict Control Panel access to trusted users and disable live preview functionality if it is not actively required. Audit logs for any misuse of live preview tokens and review access to sensitive content by Control Panel users during the window before patching. Refer to the official security advisory at https://github.com/statamic/cms/security/advisories/GHSA-8vwx-ccf6-5wg2 for confirmation and detailed deployment guidance.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today