CVE-2026-33887
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
Authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the authorization checks that the main entry controllers enforce, exposing entry field values and blueprint data.
Users could also create entry revisions without edit permission, though this only snapshots the existing content state and does not affect published content.
Patches
This has been fixed in 5.73.16 and 6.7.2.
AnalysisAI
Statamic CMS versions prior to 5.73.16 and 6.7.2 fail to enforce collection-level permissions on entry revision endpoints, allowing authenticated control panel users to view revisions and field data across any collection with revisions enabled regardless of their assigned permissions. The vulnerability also permits unauthenticated revision creation that snapshots existing content without modifying published entries. This represents a medium-severity authorization bypass affecting authenticated attackers with control panel access, with no public exploit identified at time of analysis.
Technical ContextAI
Statamic CMS (pkg:composer/statamic/cms) is a modern flat-file and database-agnostic PHP content management system. The vulnerability resides in the entry revision controller logic, which implements insufficient authorization checks compared to the main entry controllers. The root cause maps to CWE-862 (Missing Authorization), indicating that the revision endpoints fail to validate whether the authenticated user possesses required collection-level permissions before returning sensitive data including entry field values and blueprint definitions. The flaw bypasses the established permission model that guards access to published content and entry metadata, creating an information disclosure vector through a secondary data access pathway.
RemediationAI
Upgrade Statamic CMS to version 5.73.16 or 6.7.2 or later immediately (see vendor advisory at https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q). If immediate patching is not possible, restrict control panel access to trusted users only and audit existing user permissions to ensure least-privilege collection access. Additionally, review revision logs and audit trails to identify any unauthorized access to restricted collection revisions that may have occurred while running vulnerable versions. Until patched, consider disabling the revisions feature on sensitive collections if operationally feasible.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today