CVE-2026-33886 Overview
CVE-2026-33886 is a Configuration Information Disclosure vulnerability affecting Statamic, a Laravel and Git powered content management system (CMS). Starting in version 5.7.12 and prior to versions 5.73.16 and 6.7.2, a control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their content.
Critical Impact
Authenticated attackers can extract sensitive application configuration data including database credentials, API keys, and other secrets stored in Laravel configuration files.
Affected Products
- Statamic CMS versions 5.7.12 through 5.73.15
- Statamic CMS versions 6.0.0 through 6.7.1
Discovery Timeline
- 2026-03-27 - CVE CVE-2026-33886 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2026-33886
Vulnerability Analysis
This vulnerability represents a Configuration Information Disclosure flaw (CWE-200) in Statamic CMS's Antlers templating engine. Antlers is Statamic's proprietary template language that processes dynamic content within the CMS. The vulnerability arises from insufficient access controls on configuration variable interpolation within Antlers-enabled content fields.
When authenticated users with control panel access insert specially crafted Antlers template syntax into content fields, the templating engine processes these variables and exposes underlying Laravel application configuration values. This could include database connection strings, mail server credentials, third-party API keys, encryption keys, and other sensitive environment-specific settings that are typically protected from end-user access.
The attack requires low privileges (an authenticated control panel user) but can be executed remotely over the network without user interaction, making it particularly concerning for multi-user Statamic installations where not all control panel users should have access to system-level configuration.
Root Cause
The root cause lies in insufficient input validation and access control within Statamic's Antlers template processing logic. The templating engine failed to restrict which configuration variables could be accessed when processing user-supplied content in Antlers-enabled fields. Configuration accessors like {{ config: }} tags were not properly sanitized or restricted, allowing arbitrary configuration key lookups by authenticated users who should not have access to system configuration data.
Attack Vector
The attack is network-based and requires an authenticated session with access to the Statamic control panel. An attacker with even minimal control panel privileges can exploit this vulnerability by:
- Navigating to any content entry or field that supports Antlers templating
- Inserting Antlers configuration variable syntax to reference sensitive configuration keys
- Previewing or publishing the content to trigger template processing
- Observing the rendered output which exposes the requested configuration values
The vulnerability allows high confidentiality impact as attackers can systematically enumerate and extract sensitive configuration values including credentials, encryption keys, and API secrets stored in Laravel's configuration system.
Detection Methods for CVE-2026-33886
Indicators of Compromise
- Unusual content entries containing Antlers configuration variable syntax patterns
- Audit log entries showing repeated content saves or previews with suspicious template variables
- Access to configuration-related content fields by users who typically don't edit such content
- Exported or cached content containing exposed configuration values
Detection Strategies
- Review control panel audit logs for users inserting configuration variable patterns into content fields
- Implement content scanning rules to detect Antlers config variable syntax in user-submitted content
- Monitor for unusual patterns in content revision history that may indicate probing attempts
- Establish baseline behavior for control panel users and alert on anomalous content editing patterns
Monitoring Recommendations
- Enable comprehensive audit logging for all Statamic control panel actions
- Configure alerts for content containing potential template injection patterns
- Periodically review content entries for unauthorized configuration variable references
- Monitor application logs for configuration access errors that may indicate exploitation attempts
How to Mitigate CVE-2026-33886
Immediate Actions Required
- Upgrade Statamic CMS to version 5.73.16 or 6.7.2 immediately
- Review control panel user permissions and restrict access to Antlers-enabled fields where possible
- Audit recent content changes for any signs of configuration variable injection
- Consider rotating sensitive credentials that may have been exposed through this vulnerability
Patch Information
Statamic has released patched versions that address this vulnerability. Users should upgrade to version 5.73.16 for the 5.x branch or version 6.7.2 for the 6.x branch. The fix implements proper access controls to prevent unauthorized access to configuration values through Antlers template processing. For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Restrict control panel access to only trusted administrators until patching is complete
- Disable Antlers processing on user-editable content fields where not strictly required
- Implement Web Application Firewall (WAF) rules to filter requests containing configuration variable patterns
- Review and limit which users have access to content editing in the control panel
# Upgrade Statamic via Composer
composer update statamic/cms --with-dependencies
# Verify installed version
composer show statamic/cms | grep -i version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
