Skip to main content

CVE-2026-33887

MEDIUM
Missing Authorization (CWE-862)
2026-03-26 https://github.com/statamic/cms
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 26, 2026 - 19:16 vuln.today
CVE Published
Mar 26, 2026 - 19:07 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

Impact

Authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the authorization checks that the main entry controllers enforce, exposing entry field values and blueprint data.

Users could also create entry revisions without edit permission, though this only snapshots the existing content state and does not affect published content.

Patches

This has been fixed in 5.73.16 and 6.7.2.

AnalysisAI

Statamic CMS versions prior to 5.73.16 and 6.7.2 fail to enforce collection-level permissions on entry revision endpoints, allowing authenticated control panel users to view revisions and field data across any collection with revisions enabled regardless of their assigned permissions. The vulnerability also permits unauthenticated revision creation that snapshots existing content without modifying published entries. This represents a medium-severity authorization bypass affecting authenticated attackers with control panel access, with no public exploit identified at time of analysis.

Technical ContextAI

Statamic CMS (pkg:composer/statamic/cms) is a modern flat-file and database-agnostic PHP content management system. The vulnerability resides in the entry revision controller logic, which implements insufficient authorization checks compared to the main entry controllers. The root cause maps to CWE-862 (Missing Authorization), indicating that the revision endpoints fail to validate whether the authenticated user possesses required collection-level permissions before returning sensitive data including entry field values and blueprint definitions. The flaw bypasses the established permission model that guards access to published content and entry metadata, creating an information disclosure vector through a secondary data access pathway.

RemediationAI

Upgrade Statamic CMS to version 5.73.16 or 6.7.2 or later immediately (see vendor advisory at https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q). If immediate patching is not possible, restrict control panel access to trusted users only and audit existing user permissions to ensure least-privilege collection access. Additionally, review revision logs and audit trails to identify any unauthorized access to restricted collection revisions that may have occurred while running vulnerable versions. Until patched, consider disabling the revisions feature on sensitive collections if operationally feasible.

Share

CVE-2026-33887 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy