{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25633", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-04T05:15:41.790Z", "datePublished": "2026-02-11T20:33:51.930Z", "dateUpdated": "2026-02-12T21:19:37.486Z"}, "containers": {"cna": {"title": "Statamic's missing authorization allows access to assets", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h"}, {"name": "https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a", "tags": ["x_refsource_MISC"], "url": "https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a"}, {"name": "https://github.com/statamic/cms/releases/tag/v5.73.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/statamic/cms/releases/tag/v5.73.6"}, {"name": "https://github.com/statamic/cms/releases/tag/v6.2.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/statamic/cms/releases/tag/v6.2.5"}], "affected": [{"vendor": "statamic", "product": "cms", "versions": [{"version": "< 5.73.6", "status": "affected"}, {"version": ">= 6.0.0-alpha.1, < 6.2.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-11T20:33:51.930Z"}, "descriptions": [{"lang": "en", "value": "Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are unable to take advantage of this. This has been fixed in 5.73.6 and 6.2.5."}], "source": {"advisory": "GHSA-gwmx-9gcj-332h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-12T21:19:30.676025Z", "id": "CVE-2026-25633", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T21:19:37.486Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Statamic's missing authorization allows access to assets", "source": {"advisory": "GHSA-gwmx-9gcj-332h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "statamic", "product": "cms", "versions": [{"status": "affected", "version": "< 5.73.6"}, {"status": "affected", "version": ">= 6.0.0-alpha.1, < 6.2.5"}]}], "references": [{"url": "https://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h", "name": "https://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a", "name": "https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/statamic/cms/releases/tag/v5.73.6", "name": "https://github.com/statamic/cms/releases/tag/v5.73.6", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/statamic/cms/releases/tag/v6.2.5", "name": "https://github.com/statamic/cms/releases/tag/v6.2.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are unable to take advantage of this. This has been fixed in 5.73.6 and 6.2.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-11T20:33:51.930Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25633", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-12T21:19:30.676025Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-02-12T21:19:34.949Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-25633", "state": "PUBLISHED", "dateUpdated": "2026-02-11T20:33:51.930Z", "dateReserved": "2026-02-04T05:15:41.790Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-11T20:33:51.930Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "matchCriteriaId": "88DCC3F4-B944-450D-BE1D-34F2D8ACBE89", "versionEndExcluding": "5.73.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "matchCriteriaId": "4C94BE13-7888-4AB4-ABF0-CCA533C344E6", "versionEndExcluding": "6.2.5", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are unable to take advantage of this. This has been fixed in 5.73.6 and 6.2.5."}], "id": "CVE-2026-25633", "lastModified": "2026-02-18T19:36:44.100", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-11T21:16:18.910", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Product"], "url": "https://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/statamic/cms/releases/tag/v5.73.6"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/statamic/cms/releases/tag/v6.2.5"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.73.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0-alpha.1,6.2.5)"}}], "product": "cms", "vendor": "statamic"}], "analysis": {"en": {"generated_at": "2026-04-17T20:14:10.898215+00:00", "value": {"mitigation_remediation": ["Deploy the official patch by upgrading to Statamic 5.73.6 or 6.2.5.", "Restrict permission scopes for asset access within the CMS configuration to prevent unauthorized downloads.", "Enable audit logging for asset downloads and review logs for unauthorized activity."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Asset Access"}, "threat_synthesis": {"affected_systems": "Statamic CMS is affected. Versions prior to 5.73.6 for the 5.x line and prior to 6.2.5 for the 6.x line are susceptible. The issue does not affect logged\u2011out users or those without control\u2011panel access.", "description_and_impact": "The vulnerability is a missing authorization check that allows users who lack permission to view assets to download them and view their metadata. The impact is a moderate confidentiality breach, exposing potentially sensitive files to unprivileged authenticated users. The weakness falls under CWE\u2011862, representing a lack of proper authorization checks.", "risk_and_exploitability": "The CVSS score of 4.3 indicates low to moderate severity. The EPSS score of less than 1% suggests a very low chance of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Attacks require authentication but do not need explicit asset\u2011access permissions, so the attack surface is limited to users who can log in but lack appropriate read privileges."}}}}, "created": "2026-02-12T09:35:59.054242+00:00", "updated": "2026-04-17T20:15:27.008007+00:00", "vendors": ["statamic", "statamic$PRODUCT$cms"]}