Description
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the authorization checks that the main entry controllers enforce, exposing entry field values and blueprint data. Users could also create entry revisions without edit permission, though this only snapshots the existing content state and does not affect published content. This has been fixed in 5.73.16 and 6.7.2.
Published: 2026-03-27
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized content disclosure via revision access
Action: Apply Patch
AI Analysis

Impact

Statamic’s revision controllers lacked proper authorization checks prior to versions 5.73.16 and 6.7.2, allowing any authenticated Control Panel user to view or create revisions for collections with revisions enabled irrespective of the user’s collection permissions. This breach exposes private entry data and blueprint definitions to unauthorized users, meaning sensitive content could be read or traced back to its source even though the content remains unpublished. The vulnerability does not permit direct alteration of published data; however, the ability to inspect historical content can aid in reconstructing or leaking confidential information.

Affected Systems

The affected product is Statamic CMS. Any installation running 5.72.x, 5.73.x before 5.73.16, or 6.6.x, 6.7.x before 6.7.2 with revisions enabled is vulnerable. The issue specifically impacts the Control Panel’s revision endpoints, which bypass collection permission checks.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, and the EPSS score of less than 1% suggests that exploitation is unlikely in the near term. The vulnerability requires an authenticated user with Control Panel access; it is not publicly exploitable from the network. Because the issue only permits unauthorized reading of revision data rather than altering or publishing content, the overall risk is moderate, but it is still a legitimate concern for sites handling sensitive or confidential information.

Generated by OpenCVE AI on April 8, 2026 at 15:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Statamic to version 5.73.16 or later, or 6.7.2 or later, to apply the authorization fix.

Generated by OpenCVE AI on April 8, 2026 at 15:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4hp7-3wxg-cv9q Statamic allows unauthorized content access through missing authorization in its revision controllers
History

Wed, 08 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Statamic statamic
CPEs cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*
Vendors & Products Statamic statamic

Mon, 30 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Statamic
Statamic cms
Vendors & Products Statamic
Statamic cms

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the authorization checks that the main entry controllers enforce, exposing entry field values and blueprint data. Users could also create entry revisions without edit permission, though this only snapshots the existing content state and does not affect published content. This has been fixed in 5.73.16 and 6.7.2.
Title Statamic allows unauthorized content access through missing authorization in its revision controllers
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Statamic Cms Statamic
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T18:54:25.297Z

Reserved: 2026-03-24T15:10:05.681Z

Link: CVE-2026-33887

cve-icon Vulnrichment

Updated: 2026-03-30T18:54:21.130Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T21:17:25.647

Modified: 2026-04-08T13:54:27.513

Link: CVE-2026-33887

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:55Z

Weaknesses