Skip to main content

CVE-2026-33886

MEDIUM
Information Exposure (CWE-200)
2026-03-26 https://github.com/statamic/cms
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 26, 2026 - 19:16 vuln.today
CVE Published
Mar 26, 2026 - 19:06 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Impact

A control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their content.

Patches

This has been fixed in 5.73.16 and 6.7.2.

AnalysisAI

Statamic CMS versions prior to 5.73.16 and 6.7.2 allow authenticated control panel users with access to Antlers-enabled fields to read sensitive application configuration values through template variable injection, exposing secrets such as API keys and database credentials. The vulnerability requires low-privilege authenticated access and network connectivity to the control panel, with a CVSS score of 6.5 reflecting moderate real-world risk. No public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

Statamic CMS (pkg:composer/statamic_cms) implements Antlers, a template engine that processes user-supplied content within control panel fields. The vulnerability stems from insufficient input validation and output encoding in Antlers field processing, classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). When a control panel user inserts template syntax referencing Statamic's configuration variables (such as app.key, database credentials, or third-party API tokens), the Antlers engine resolves these variables and renders them in the output, bypassing access control boundaries that should restrict configuration data to system administrators. The root cause is the unguarded evaluation of configuration variable references within user-controlled Antlers templates.

RemediationAI

Upgrade Statamic CMS to version 5.73.16 or later in the 5.x branch, or to version 6.7.2 or later in the 6.x branch (see vendor advisory at https://github.com/statamic/cms/security/advisories/GHSA-gcqf-5x9f-hq7f). As an interim mitigation pending patch deployment, restrict control panel access to trusted administrators only, audit existing Antlers-enabled field configurations for malicious template syntax, and disable Antlers processing in fields that do not require dynamic template rendering. Monitor control panel audit logs for suspicious field submissions or configuration variable references. After patching, verify that Antlers template variable resolution respects configuration access boundaries.

Share

CVE-2026-33886 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy