Description
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint. This has been fixed in 5.73.14 and 6.7.0.
Published: 2026-03-20
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized taxonomy term creation by low‑privilege Control Panel users
Action: Apply Patch
AI Analysis

Impact

Statamic, a Laravel‑based content management system, contains a flaw where a field action processing endpoint can be abused to create taxonomy terms without the required authorization checks. This weakness, classified as an authorization bypass (CWE‑862), lets users with minimal permissions add new terms by submitting crafted field definitions, potentially altering site content or navigation in ways the user should not be able to control.

Affected Systems

The issue affects all Statamic installations running versions earlier than 5.73.14 for the 5.x branch and earlier than 6.7.0 for the 6.x branch. Only the CMS itself is vulnerable; plugins or themes do not add further risk beyond the core CMS behaviour.

Risk and Exploitability

The CVSS score of 4.3 indicates medium severity, while the EPSS score of less than 1% suggests only a small portion of attackers are expected to exploit this vulnerability. It is not listed in CISA’s KEV catalog. The vulnerability can be exploited through the Control Panel by submitting a crafted request to the field action endpoint, and thus it requires authenticated access, but only to a low‑privilege user account.

Generated by OpenCVE AI on March 23, 2026 at 20:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Statamic to version 5.73.14 or newer, or 6.7.0 or newer, to receive the resolved authorization checks.

Generated by OpenCVE AI on March 23, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wh3h-gvc4-cc2g Statamic is missing authorization check on taxonomy term creation via fieldtype
History

Mon, 23 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Statamic statamic
CPEs cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*
Vendors & Products Statamic statamic

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Statamic
Statamic cms
Vendors & Products Statamic
Statamic cms

Fri, 20 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint. This has been fixed in 5.73.14 and 6.7.0.
Title Statamic is missing authorization check on taxonomy term creation via fieldtype
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Statamic Cms Statamic
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-23T16:49:26.359Z

Reserved: 2026-03-17T22:16:36.719Z

Link: CVE-2026-33177

cve-icon Vulnrichment

Updated: 2026-03-23T16:49:23.148Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T22:16:29.117

Modified: 2026-03-23T18:45:27.150

Link: CVE-2026-33177

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:34:27Z

Weaknesses