Description
Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are unable to take advantage of this. This has been fixed in 5.73.6 and 6.2.5.
Published: 2026-02-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Asset Access
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a missing authorization check that allows users who lack permission to view assets to download them and view their metadata. The impact is a moderate confidentiality breach, exposing potentially sensitive files to unprivileged authenticated users. The weakness falls under CWE‑862, representing a lack of proper authorization checks.

Affected Systems

Statamic CMS is affected. Versions prior to 5.73.6 for the 5.x line and prior to 6.2.5 for the 6.x line are susceptible. The issue does not affect logged‑out users or those without control‑panel access.

Risk and Exploitability

The CVSS score of 4.3 indicates low to moderate severity. The EPSS score of less than 1% suggests a very low chance of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Attacks require authentication but do not need explicit asset‑access permissions, so the attack surface is limited to users who can log in but lack appropriate read privileges.

Generated by OpenCVE AI on April 17, 2026 at 20:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the official patch by upgrading to Statamic 5.73.6 or 6.2.5.
  • Restrict permission scopes for asset access within the CMS configuration to prevent unauthorized downloads.
  • Enable audit logging for asset downloads and review logs for unauthorized activity.

Generated by OpenCVE AI on April 17, 2026 at 20:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gwmx-9gcj-332h Statamic CMS's missing authorization allows access to assets
History

Wed, 18 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Statamic statamic
CPEs cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*
Vendors & Products Statamic statamic

Thu, 12 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Statamic
Statamic cms
Vendors & Products Statamic
Statamic cms

Wed, 11 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
Description Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are unable to take advantage of this. This has been fixed in 5.73.6 and 6.2.5.
Title Statamic's missing authorization allows access to assets
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Statamic Cms Statamic
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-12T21:19:37.486Z

Reserved: 2026-02-04T05:15:41.790Z

Link: CVE-2026-25633

cve-icon Vulnrichment

Updated: 2026-02-12T21:19:34.949Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-11T21:16:18.910

Modified: 2026-02-18T19:36:44.100

Link: CVE-2026-25633

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:15:27Z

Weaknesses