CVE-2026-33177 Overview
CVE-2026-33177 is an authorization bypass vulnerability in Statamic, a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint.
Critical Impact
Low-privileged users can bypass authorization controls to create unauthorized taxonomy terms, potentially leading to content manipulation and privilege abuse within the CMS.
Affected Products
- Statamic CMS versions prior to 5.73.14
- Statamic CMS versions prior to 6.7.0
Discovery Timeline
- 2026-03-20 - CVE-2026-33177 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-33177
Vulnerability Analysis
This vulnerability is classified as CWE-862 (Missing Authorization), which occurs when an application does not perform proper authorization checks before allowing a user to perform a privileged action. In the case of Statamic CMS, the field action processing endpoint lacks the same authorization controls that are enforced on the standard taxonomy term creation endpoint.
The vulnerability allows authenticated users with low privileges in the Control Panel to bypass intended access restrictions. By crafting malicious requests to the field action processing endpoint and including attacker-controlled field definitions, users can create taxonomy terms without having the necessary permissions to do so through normal channels.
Root Cause
The root cause of this vulnerability stems from inconsistent authorization enforcement across different endpoints within the Statamic CMS. While the standard taxonomy term creation endpoint properly validates user permissions before allowing term creation, the field action processing endpoint does not implement equivalent authorization checks.
This creates a security gap where low-privileged users can exploit the less-protected endpoint to perform actions that would normally require elevated permissions. The lack of centralized authorization logic for taxonomy-related operations allows this bypass to occur.
Attack Vector
An attacker with low-level Control Panel access can exploit this vulnerability by:
- Identifying the field action processing endpoint within the Statamic CMS
- Crafting HTTP requests with malicious field definitions targeting taxonomy term creation
- Submitting these requests to bypass the standard authorization controls
- Successfully creating taxonomy terms without proper permissions
The attack is network-based and requires low privileges (an authenticated Control Panel account). No user interaction is required beyond the attacker's own actions. The vulnerability primarily impacts data integrity by allowing unauthorized content modifications.
The vulnerability can be exploited by sending crafted POST requests to the field action processing endpoint with attacker-controlled parameters that mimic legitimate taxonomy term creation requests. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-33177
Indicators of Compromise
- Unexpected taxonomy terms appearing in the CMS that were not created through normal workflows
- Log entries showing field action processing requests from low-privileged users creating taxonomy-related content
- Anomalous POST requests to field action endpoints containing taxonomy field definitions
Detection Strategies
- Monitor authentication logs for Control Panel users making requests to field action processing endpoints
- Implement web application firewall (WAF) rules to detect unusual patterns in POST request bodies targeting internal Statamic endpoints
- Review audit logs for taxonomy term creation events and cross-reference with user permission levels
Monitoring Recommendations
- Enable verbose logging for Statamic Control Panel actions to capture field action processing requests
- Set up alerts for taxonomy modifications initiated by users without explicit taxonomy management permissions
- Regularly audit user roles and permissions to ensure principle of least privilege is maintained
How to Mitigate CVE-2026-33177
Immediate Actions Required
- Upgrade Statamic CMS to version 5.73.14 or later for the 5.x branch
- Upgrade Statamic CMS to version 6.7.0 or later for the 6.x branch
- Review existing taxonomy terms for any unauthorized or suspicious entries
- Audit Control Panel user accounts and remove unnecessary access privileges
Patch Information
Statamic has released security patches addressing this authorization bypass vulnerability. Organizations running affected versions should update to the fixed releases:
- Version 5.x: Update to 5.73.14 or later
- Version 6.x: Update to 6.7.0 or later
Patch details and additional information are available in the Statamic GitHub Security Advisory.
Workarounds
- Restrict Control Panel access to only essential personnel until the patch can be applied
- Implement network-level access controls to limit who can reach the Statamic Control Panel
- Monitor and review all taxonomy term creation activities for unauthorized changes
# Update Statamic via Composer to the patched version
composer update statamic/cms
# Verify the installed version after update
php artisan statamic:version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
