Skip to main content

CVE-2026-33884

MEDIUM
Incorrect Authorization (CWE-863)
2026-03-26 https://github.com/statamic/cms
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 26, 2026 - 19:16 vuln.today
CVE Published
Mar 26, 2026 - 19:05 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

Impact

An authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for.

Patches

This has been fixed in 5.73.16 and 6.7.2.

AnalysisAI

Statamic CMS versions prior to 5.73.16 and 6.7.2 allow authenticated Control Panel users with live preview access to abuse live preview tokens to access restricted content beyond the token's intended scope. This is an authenticated privilege escalation affecting the Statamic CMS product (pkg:composer/statamic_cms) with a CVSS score of 4.3 and low complexity; no public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

The vulnerability exists in the Statamic CMS live preview functionality, a feature that generates time-limited tokens to allow authenticated Control Panel users to preview content in a restricted context. The root cause is classified under CWE-863 (Incorrect Authorization), indicating that the live preview token validation logic fails to properly enforce scope restrictions on the content accessible via the token. An authenticated user holding a live preview token can manipulate or reuse the token to access content resources that fall outside the token's original authorization boundary. The affected product is identified via CPE pkg:composer/statamic_cms, a PHP composer package powering the Statamic content management system.

RemediationAI

Upgrade Statamic CMS to version 5.73.16 or later if on the 5.x branch, or to version 6.7.2 or later if on the 6.x branch. These versions contain the vendor-released patch that corrects the live preview token authorization logic. Until patching is completed, restrict Control Panel access to trusted users and disable live preview functionality if it is not actively required. Audit logs for any misuse of live preview tokens and review access to sensitive content by Control Panel users during the window before patching. Refer to the official security advisory at https://github.com/statamic/cms/security/advisories/GHSA-8vwx-ccf6-5wg2 for confirmation and detailed deployment guidance.

Share

CVE-2026-33884 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy