CVE-2026-33171 is a path traversal vulnerability identified in the Statamic content management system (CMS), which is built on Laravel and Git technologies. The flaw exists in the handling of the file dictionary's filename configuration parameter within the fieldtype's endpoint. Specifically, authenticated users with Control Panel access can manipulate this parameter to traverse directories and read arbitrary files with extensions such as .json, .yaml, and .csv from the server filesystem. This occurs due to improper limitation of pathname to a restricted directory (CWE-22), allowing attackers to bypass intended directory restrictions. The vulnerability affects Statamic versions prior to 5.73.14 and 6.7.0. Exploitation requires valid authentication credentials but does not require additional user interaction. The vulnerability impacts confidentiality by exposing potentially sensitive configuration or data files but does not affect integrity or availability. The CVSS v3.1 base score is 4.3, reflecting network attack vector, low attack complexity, required privileges, no user interaction, and limited confidentiality impact. No public exploits have been reported to date. The vendor has addressed the issue in versions 5.73.14 and 6.7.0 by properly restricting pathname traversal in the affected endpoint.

The primary impact of CVE-2026-33171 is unauthorized disclosure of sensitive information stored in .json, .yaml, and .csv files on servers running vulnerable Statamic CMS versions. Attackers with authenticated Control Panel access can leverage this flaw to read configuration files, credentials, or other sensitive data, potentially facilitating further attacks such as privilege escalation or lateral movement. Although the vulnerability does not allow modification or deletion of files, the confidentiality breach can expose internal system details and user data. Organizations relying on Statamic CMS for website or application content management may face increased risk of data leakage, especially if sensitive information is stored in accessible file formats. The requirement for authentication limits the attack surface to insiders or compromised accounts, but the ease of exploitation and network accessibility raise concerns for organizations with weak access controls or exposed Control Panels. No known active exploitation reduces immediate risk, but delayed patching could lead to targeted attacks. Overall, the vulnerability poses a moderate threat to confidentiality and organizational security posture.

To mitigate CVE-2026-33171, organizations should promptly upgrade Statamic CMS to versions 5.73.14 or 6.7.0, where the vulnerability has been fixed. Until upgrades are applied, administrators should restrict Control Panel access strictly to trusted users and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. Network-level controls like IP whitelisting or VPN access for the Control Panel can further limit exposure. Review and audit file permissions on the server to ensure sensitive files are not unnecessarily accessible to the web server process. Implement monitoring and alerting for unusual file access patterns or Control Panel activities that could indicate exploitation attempts. Additionally, consider scanning existing systems for signs of unauthorized file reads or suspicious behavior. Regularly update and patch all components of the CMS and underlying infrastructure to minimize exposure to known vulnerabilities.