CVE-2026-33171 Overview
CVE-2026-33171 is a Path Traversal vulnerability in Statamic, a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, authenticated Control Panel users could read arbitrary .json, .yaml, and .csv files from the server by manipulating the file dictionary's filename configuration parameter in the fieldtype's endpoint.
Critical Impact
Authenticated attackers can access sensitive configuration files containing credentials, API keys, and other sensitive data stored in JSON, YAML, or CSV formats on the server.
Affected Products
- Statamic CMS versions prior to 5.73.14
- Statamic CMS versions 6.x prior to 6.7.0
Discovery Timeline
- 2026-03-20 - CVE-2026-33171 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-33171
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Path Traversal), which occurs when user-supplied input is used to construct a file path without proper sanitization. In Statamic CMS, authenticated users with access to the Control Panel can exploit the file dictionary fieldtype endpoint by manipulating the filename parameter to traverse directories and access files outside the intended scope.
The attack requires network access and valid authentication credentials for the Control Panel. While authentication is required, this significantly reduces the attack surface compared to unauthenticated vulnerabilities. The impact is limited to confidentiality, as attackers can only read files—not modify or delete them—and only files with .json, .yaml, or .csv extensions are accessible through this vector.
Root Cause
The root cause is improper input validation in the file dictionary fieldtype's endpoint handler. The filename configuration parameter does not adequately sanitize path traversal sequences such as ../ before constructing the file path. This allows authenticated users to navigate outside the intended directory structure and access sensitive files elsewhere on the server filesystem.
Attack Vector
The vulnerability is exploited through the network by sending crafted requests to the fieldtype endpoint with path traversal sequences embedded in the filename parameter. An authenticated attacker can manipulate this parameter to traverse directories and read configuration files, environment files, or other sensitive data stored in JSON, YAML, or CSV formats.
For example, an attacker could target Laravel's configuration files or any application-specific data files stored in these formats. Since Statamic is built on Laravel, files like config/*.php would not be directly readable, but any JSON or YAML configuration files used by the application or its dependencies could be exposed.
The exploitation mechanism involves manipulating directory traversal sequences within the filename parameter to escape the intended file path restrictions. For detailed technical information about this vulnerability, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-33171
Indicators of Compromise
- HTTP requests to fieldtype endpoints containing path traversal sequences (../, ..%2F, ..%5C) in the filename parameter
- Unusual file access patterns from the web application user targeting configuration directories
- Access logs showing repeated requests to dictionary fieldtype endpoints with varying filename values
- Error logs indicating attempts to access files outside the expected directory structure
Detection Strategies
- Monitor web application logs for requests containing directory traversal patterns in query parameters or request bodies
- Implement Web Application Firewall (WAF) rules to detect and block path traversal attempts in HTTP requests
- Review audit logs for authenticated Control Panel users accessing unusual endpoints or making atypical requests
- Deploy file integrity monitoring on sensitive configuration directories to detect unauthorized read attempts
Monitoring Recommendations
- Enable detailed request logging for the Statamic Control Panel endpoints to capture parameter values
- Configure alerts for path traversal signatures in request parameters across all web-facing applications
- Monitor for anomalous patterns in authenticated user behavior, particularly bulk or scripted requests to fieldtype endpoints
- Implement real-time log analysis to identify potential exploitation attempts before sensitive data is exfiltrated
How to Mitigate CVE-2026-33171
Immediate Actions Required
- Upgrade Statamic CMS to version 5.73.14 or later for the 5.x branch
- Upgrade Statamic CMS to version 6.7.0 or later for the 6.x branch
- Review access logs to identify any potential exploitation attempts prior to patching
- Audit Control Panel user accounts and remove unnecessary access privileges
Patch Information
Statamic has released security patches addressing this vulnerability. The fix is included in versions 5.73.14 and 6.7.0. Update your Statamic installation using Composer:
composer update statamic/cms
For additional details, refer to the GitHub Security Advisory GHSA-qm7r-wwq7-6f85.
Workarounds
- Restrict Control Panel access to only trusted administrators until the patch can be applied
- Implement network-level access controls (IP allowlisting) for the Control Panel routes
- Deploy a Web Application Firewall with rules to block path traversal sequences in request parameters
- Consider temporarily disabling the file dictionary fieldtype if it is not critical to operations
# Example: Restrict Control Panel access by IP in .htaccess (Apache)
<Location "/cp">
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
