CVE-2026-33882 Overview
CVE-2026-33882 is an information disclosure vulnerability in Statamic, a Laravel and Git powered content management system (CMS). The vulnerability exists in the markdown preview endpoint, which can be manipulated to return augmented data from arbitrary fieldtypes. When exploited through the users fieldtype specifically, an authenticated control panel user can retrieve sensitive user data including email addresses, encrypted passkey data, and encrypted two-factor authentication codes.
Critical Impact
Authenticated attackers can extract sensitive user information including email addresses and encrypted authentication secrets through the markdown preview endpoint, potentially enabling further attacks against user accounts.
Affected Products
- Statamic CMS versions prior to 5.73.16
- Statamic CMS versions prior to 6.7.2
Discovery Timeline
- 2026-03-27 - CVE CVE-2026-33882 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2026-33882
Vulnerability Analysis
This vulnerability is classified as an Improper Input Validation issue (CWE-20). The markdown preview endpoint in Statamic CMS fails to properly validate and restrict the types of data that can be returned when processing preview requests. The flaw allows authenticated control panel users to manipulate requests to the markdown preview functionality in a way that causes the endpoint to return augmented data from arbitrary fieldtypes beyond what should normally be accessible.
The vulnerability is particularly concerning because it provides access to sensitive user data. When exploiting the users fieldtype, attackers can retrieve email addresses, encrypted passkey data, and encrypted two-factor authentication codes. While these authentication secrets are encrypted, their exposure could facilitate offline cryptographic attacks or be combined with other vulnerabilities to compromise user accounts.
Root Cause
The root cause stems from improper input validation in the markdown preview endpoint. The endpoint does not adequately restrict which fieldtypes can be accessed or what augmented data can be returned in preview responses. This allows authenticated users to craft requests that retrieve data from fieldtypes that should not be accessible through the preview functionality, including the users fieldtype which contains sensitive authentication data.
Attack Vector
The attack requires network access and authenticated access to the Statamic control panel. An attacker with valid control panel credentials can exploit this vulnerability by sending specially crafted requests to the markdown preview endpoint. The attacker manipulates the request parameters to cause the endpoint to return augmented data from the users fieldtype, exposing sensitive user information.
The attack does not require user interaction and can be performed without any special privileges beyond basic authenticated access to the control panel. For detailed technical information about the exploitation method, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-33882
Indicators of Compromise
- Unusual or excessive requests to the markdown preview endpoint from authenticated control panel sessions
- Access logs showing requests to preview endpoints containing fieldtype manipulation attempts
- Evidence of user data enumeration or bulk retrieval of user information
- Anomalous access patterns from control panel user accounts
Detection Strategies
- Monitor web application logs for suspicious requests to the markdown preview endpoint
- Implement alerting on high volumes of preview endpoint requests from individual user sessions
- Review access logs for attempts to access user fieldtype data through non-standard endpoints
- Deploy web application firewall rules to detect and block fieldtype manipulation attempts
Monitoring Recommendations
- Enable detailed logging for all Statamic control panel endpoints
- Configure SIEM alerts for anomalous patterns in preview endpoint access
- Monitor for failed authentication attempts following potential data exfiltration
- Audit control panel user accounts for unauthorized access or suspicious activity patterns
How to Mitigate CVE-2026-33882
Immediate Actions Required
- Upgrade Statamic CMS to version 5.73.16 or later for the 5.x branch
- Upgrade Statamic CMS to version 6.7.2 or later for the 6.x branch
- Audit control panel user accounts and review access logs for signs of exploitation
- Consider rotating user authentication secrets if exploitation is suspected
Patch Information
Statamic has released security patches that address this vulnerability. Users should upgrade to the following fixed versions:
- For Statamic 5.x: Update to version 5.73.16 or later
- For Statamic 6.x: Update to version 6.7.2 or later
Refer to the GitHub Security Advisory for complete patch details and upgrade instructions.
Workarounds
- Restrict control panel access to only trusted and necessary users until patches can be applied
- Implement network-level access controls to limit who can reach the control panel
- Monitor and audit all control panel activity closely until the upgrade is complete
- Consider temporarily disabling the markdown preview functionality if possible in your environment
# Configuration example
# Update Statamic CMS via Composer
composer update statamic/cms
# Verify the installed version
composer show statamic/cms | grep version
# Clear application cache after update
php artisan cache:clear
php artisan config:clear
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
