CVE-2026-33887 Overview
CVE-2026-33887 is an Authorization Bypass vulnerability discovered in Statamic, a Laravel and Git powered content management system (CMS). Authenticated Control Panel users can view entry revisions for any collection with revisions enabled, regardless of whether they have the required collection permissions. This bypasses the authorization checks that the main entry controllers enforce, exposing entry field values and blueprint data. Additionally, users can create entry revisions without edit permission, though this only snapshots the existing content state and does not affect published content.
Critical Impact
Authenticated users can bypass permission controls to access sensitive entry data and blueprint information from collections they should not have access to, potentially exposing confidential content across the CMS.
Affected Products
- Statamic CMS versions prior to 5.73.16
- Statamic CMS versions prior to 6.7.2
Discovery Timeline
- 2026-03-27 - CVE CVE-2026-33887 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2026-33887
Vulnerability Analysis
This vulnerability falls under CWE-862 (Missing Authorization), where the application fails to perform proper authorization checks for specific functionality. In Statamic CMS, the entry revision endpoints do not enforce the same permission validation that protects the main entry controllers. This architectural oversight allows any authenticated Control Panel user to enumerate and retrieve entry revisions from collections, even when they lack the explicit permissions to view those collections.
The security boundary between authenticated users with different permission levels is not properly maintained for revision-related operations. While the primary entry management functions correctly validate user permissions against collection access rules, the revision subsystem operates independently without these checks, creating an exploitable gap in the authorization model.
Root Cause
The root cause is a missing authorization check in the entry revision controller logic. When authenticated users request entry revisions, the system verifies only that the user is authenticated to the Control Panel, but fails to validate whether the user has the necessary collection-level permissions to access the underlying entries. This represents an incomplete implementation of the authorization layer for the revision management feature.
Attack Vector
The attack can be executed over the network by any authenticated Control Panel user. An attacker with legitimate but limited credentials can exploit this vulnerability by directly accessing the revision endpoints for collections they are not authorized to view. The attack requires low privileges (authenticated user status) and no user interaction, making it straightforward to exploit for information gathering purposes.
An attacker would typically:
- Authenticate to the Statamic Control Panel with any valid user account
- Enumerate or guess collection identifiers for restricted collections
- Request revision data through the revision API endpoints, bypassing collection permission checks
- Extract sensitive field values and blueprint data from unauthorized collections
For detailed technical information, see the GitHub Security Advisory.
Detection Methods for CVE-2026-33887
Indicators of Compromise
- Unusual access patterns to entry revision endpoints from users with limited collection permissions
- Audit log entries showing revision access for collections a user does not have explicit permission to view
- Unexpected data exports or bulk revision queries from low-privilege authenticated accounts
Detection Strategies
- Review Statamic access logs for revision endpoint requests cross-referenced against user permission assignments
- Implement application-layer logging to track revision access attempts and compare against authorization rules
- Monitor for authenticated users accessing revision data outside their designated collection scope
Monitoring Recommendations
- Enable verbose logging for Control Panel authentication and revision access events
- Configure alerts for revision endpoint access patterns that exceed normal user behavior
- Regularly audit user permissions against actual access patterns in application logs
How to Mitigate CVE-2026-33887
Immediate Actions Required
- Upgrade Statamic CMS to version 5.73.16 or later for the 5.x branch
- Upgrade Statamic CMS to version 6.7.2 or later for the 6.x branch
- Audit user accounts and permissions to identify any potential unauthorized access that may have occurred
- Review revision access logs for suspicious activity
Patch Information
Statamic has addressed this vulnerability in versions 5.73.16 and 6.7.2. The fix implements proper authorization checks in the entry revision controllers to ensure users can only access revisions for collections they have explicit permissions to view. Organizations should apply these patches as soon as possible to prevent unauthorized information disclosure.
For complete patch details and upgrade instructions, refer to the GitHub Security Advisory.
Workarounds
- Temporarily disable the revisions feature for sensitive collections until the patch can be applied
- Restrict Control Panel access to only trusted users with legitimate business needs
- Implement network-level access controls to limit who can reach the Control Panel endpoints
- Consider using a Web Application Firewall (WAF) to monitor and filter suspicious revision endpoint requests
# Verify Statamic version after upgrade
php artisan statamic:version
# Check for available updates
composer outdated statamic/cms
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
