{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33887", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T15:10:05.681Z", "datePublished": "2026-03-27T20:41:23.715Z", "dateUpdated": "2026-03-30T18:54:25.297Z"}, "containers": {"cna": {"title": "Statamic allows unauthorized content access through missing authorization in its revision controllers", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q"}], "affected": [{"vendor": "statamic", "product": "cms", "versions": [{"version": "< 5.73.16", "status": "affected"}, {"version": ">= 6.0.0-alpha.1, < 6.7.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T20:41:23.715Z"}, "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the authorization checks that the main entry controllers enforce, exposing entry field values and blueprint data. Users could also create entry revisions without edit permission, though this only snapshots the existing content state and does not affect published content. This has been fixed in 5.73.16 and 6.7.2."}], "source": {"advisory": "GHSA-4hp7-3wxg-cv9q", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T18:54:14.725865Z", "id": "CVE-2026-33887", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:54:25.297Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33887", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T18:54:14.725865Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:54:21.130Z"}}], "cna": {"title": "Statamic allows unauthorized content access through missing authorization in its revision controllers", "source": {"advisory": "GHSA-4hp7-3wxg-cv9q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "statamic", "product": "cms", "versions": [{"status": "affected", "version": "< 5.73.16"}, {"status": "affected", "version": ">= 6.0.0-alpha.1, < 6.7.2"}]}], "references": [{"url": "https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q", "name": "https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the authorization checks that the main entry controllers enforce, exposing entry field values and blueprint data. Users could also create entry revisions without edit permission, though this only snapshots the existing content state and does not affect published content. This has been fixed in 5.73.16 and 6.7.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T20:41:23.715Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33887", "state": "PUBLISHED", "dateUpdated": "2026-03-30T18:54:25.297Z", "dateReserved": "2026-03-24T15:10:05.681Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T20:41:23.715Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "matchCriteriaId": "EACDC143-742E-4926-9C28-6095690EB549", "versionEndExcluding": "5.73.16", "vulnerable": true}, {"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "matchCriteriaId": "631FF065-0872-4DC7-AB25-AB74B782A9BE", "versionEndExcluding": "6.7.2", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the authorization checks that the main entry controllers enforce, exposing entry field values and blueprint data. Users could also create entry revisions without edit permission, though this only snapshots the existing content state and does not affect published content. This has been fixed in 5.73.16 and 6.7.2."}], "id": "CVE-2026-33887", "lastModified": "2026-04-08T13:54:27.513", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T21:17:25.647", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.73.16)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0-alpha.1,6.7.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "cms", "source": "cna", "vendor": "statamic"}, "product": "cms", "vendor": "statamic"}], "analysis": {"en": {"generated_at": "2026-04-08T15:24:55.392435+00:00", "value": {"mitigation_remediation": ["Upgrade Statamic to version 5.73.16 or later, or 6.7.2 or later, to apply the authorization fix."], "summary": {"action": "Apply Patch", "impact": "Unauthorized content disclosure via revision access"}, "threat_synthesis": {"affected_systems": "The affected product is Statamic CMS. Any installation running 5.72.x, 5.73.x before 5.73.16, or 6.6.x, 6.7.x before 6.7.2 with revisions enabled is vulnerable. The issue specifically impacts the Control Panel\u2019s revision endpoints, which bypass collection permission checks.", "description_and_impact": "Statamic\u2019s revision controllers lacked proper authorization checks prior to versions 5.73.16 and 6.7.2, allowing any authenticated Control Panel user to view or create revisions for collections with revisions enabled irrespective of the user\u2019s collection permissions. This breach exposes private entry data and blueprint definitions to unauthorized users, meaning sensitive content could be read or traced back to its source even though the content remains unpublished. The vulnerability does not permit direct alteration of published data; however, the ability to inspect historical content can aid in reconstructing or leaking confidential information.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity, and the EPSS score of less than 1% suggests that exploitation is unlikely in the near term. The vulnerability requires an authenticated user with Control Panel access; it is not publicly exploitable from the network. Because the issue only permits unauthorized reading of revision data rather than altering or publishing content, the overall risk is moderate, but it is still a legitimate concern for sites handling sensitive or confidential information."}}}}, "created": "2026-03-29T20:30:01.823153+00:00", "updated": "2026-04-08T20:00:55.037730+00:00", "vendors": ["statamic", "statamic$PRODUCT$cms"]}