CVE-2026-25633 is a missing authorization vulnerability (CWE-862) in the Statamic content management system, which is built on Laravel and Git. The issue affects Statamic versions prior to 5.73.6 and 6.2.5, where users who are logged in and have some level of access to the control panel but lack explicit permission to view assets can still download those assets and view their metadata. This occurs because the system fails to properly enforce permission checks on asset access, allowing unauthorized disclosure of potentially sensitive files. However, unauthenticated users and those without control panel access cannot exploit this vulnerability. The flaw impacts confidentiality by exposing asset data but does not affect data integrity or system availability. The vulnerability was publicly disclosed in February 2026 and assigned a CVSS 3.1 base score of 4.3, reflecting a medium severity level. No known exploits have been observed in the wild, and patches were released in Statamic versions 5.73.6 and 6.2.5 to address the issue.

The primary impact of this vulnerability is unauthorized disclosure of asset files and their metadata to users who should not have access. This can lead to leakage of sensitive information such as proprietary images, documents, or configuration files stored as assets within the CMS. While the vulnerability does not allow modification or deletion of assets, the confidentiality breach could facilitate further attacks or data exfiltration. Organizations relying on Statamic CMS for website content management may face reputational damage, compliance issues, or intellectual property loss if exploited. Since exploitation requires authenticated access with some control panel privileges, the risk is somewhat limited to insiders or compromised accounts. However, in environments with many users or weak access controls, the threat surface increases. The lack of known exploits suggests limited active targeting, but the vulnerability should be treated seriously given the potential for sensitive data exposure.

Organizations should upgrade Statamic CMS installations to version 5.73.6 or 6.2.5 or later, where the authorization checks have been properly implemented. Until upgrades can be applied, administrators should audit user permissions rigorously to ensure that only trusted users have control panel access and that asset viewing permissions are restricted appropriately. Implementing strong authentication mechanisms, such as multi-factor authentication, can reduce the risk of compromised accounts being used to exploit this flaw. Additionally, monitoring access logs for unusual asset download activity can help detect potential exploitation attempts. If possible, temporarily restricting asset access or disabling asset downloads for lower-privileged users can serve as a short-term mitigation. Regularly reviewing and updating CMS user roles and permissions is critical to minimizing exposure.