Description
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. This has been fixed in 5.73.16 and 6.7.2.
Published: 2026-03-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Content Disclosure
Action: Immediate Patch
AI Analysis

Impact

Statamic is a CMS that uses live preview tokens to allow Control Panel users to preview content. Prior to version 5.73.16 and 6.7.2, an authenticated user with live preview permissions could use a token for one entry to view the content of unrelated, protected entries. The vulnerability is a failure to check authorization after successful authentication, allowing the bypass of content protection rules. This results in unauthorized disclosure of sensitive content to users who should not have access.

Affected Systems

The vulnerability affects Statamic CMS, specifically versions earlier than 5.73.16 for the 5.x series and earlier than 6.7.2 for the 6.x series. No other vendor or product versions are impacted.

Risk and Exploitability

The CVSS score of 4.3 indicates low overall severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated Control Panel user with live preview capabilities, implying that insiders or users with compromised credentials could leverage this flaw to access restricted content.

Generated by OpenCVE AI on April 8, 2026 at 15:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Statamic to version 5.73.16 or later, or 6.7.2 or later, to apply the vendor patch.
  • If an upgrade cannot be performed immediately, disable the live preview feature or restrict live preview permissions to trusted users.
  • Monitor Control Panel logs for unauthorized preview token usage and investigate any suspicious activity.

Generated by OpenCVE AI on April 8, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8vwx-ccf6-5wg2 Statamic's live preview token bypasses content protection for unrelated entries
History

Wed, 08 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Statamic statamic
CPEs cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*
Vendors & Products Statamic statamic

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Statamic
Statamic cms
Vendors & Products Statamic
Statamic cms

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. This has been fixed in 5.73.16 and 6.7.2.
Title Statamic's live preview token bypasses content protection for unrelated entries
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Statamic Cms Statamic
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T15:37:30.499Z

Reserved: 2026-03-24T15:10:05.681Z

Link: CVE-2026-33884

cve-icon Vulnrichment

Updated: 2026-03-30T15:37:26.298Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T21:17:25.183

Modified: 2026-04-08T14:17:43.743

Link: CVE-2026-33884

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:58Z

Weaknesses