CVE-2026-33886
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
A control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their content.
Patches
This has been fixed in 5.73.16 and 6.7.2.
AnalysisAI
Statamic CMS versions prior to 5.73.16 and 6.7.2 allow authenticated control panel users with access to Antlers-enabled fields to read sensitive application configuration values through template variable injection, exposing secrets such as API keys and database credentials. The vulnerability requires low-privilege authenticated access and network connectivity to the control panel, with a CVSS score of 6.5 reflecting moderate real-world risk. No public exploit code or active exploitation has been identified at the time of analysis.
Technical ContextAI
Statamic CMS (pkg:composer/statamic_cms) implements Antlers, a template engine that processes user-supplied content within control panel fields. The vulnerability stems from insufficient input validation and output encoding in Antlers field processing, classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). When a control panel user inserts template syntax referencing Statamic's configuration variables (such as app.key, database credentials, or third-party API tokens), the Antlers engine resolves these variables and renders them in the output, bypassing access control boundaries that should restrict configuration data to system administrators. The root cause is the unguarded evaluation of configuration variable references within user-controlled Antlers templates.
RemediationAI
Upgrade Statamic CMS to version 5.73.16 or later in the 5.x branch, or to version 6.7.2 or later in the 6.x branch (see vendor advisory at https://github.com/statamic/cms/security/advisories/GHSA-gcqf-5x9f-hq7f). As an interim mitigation pending patch deployment, restrict control panel access to trusted administrators only, audit existing Antlers-enabled field configurations for malicious template syntax, and disable Antlers processing in fields that do not require dynamic template rendering. Monitor control panel audit logs for suspicious field submissions or configuration variable references. After patching, verify that Antlers template variable resolution respects configuration access boundaries.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today