CVE-2026-33171 is a path traversal vulnerability classified under CWE-22 affecting Statamic CMS, a Laravel and Git-powered content management system. The vulnerability exists in the handling of the file dictionary's filename configuration parameter within the fieldtype's endpoint. Authenticated users with Control Panel access could manipulate this parameter to traverse directories and read arbitrary files with extensions such as .json, .yaml, and .csv on the server. This improper limitation of pathname allows attackers to bypass intended directory restrictions and access sensitive files that may contain configuration data, credentials, or other sensitive information. The vulnerability does not allow modification or deletion of files, only unauthorized reading. It affects Statamic CMS versions from 6.0.0-alpha.1 up to but not including 6.7.0, and versions below 5.73.14. The flaw was addressed and patched in versions 5.73.14 and 6.7.0 by properly restricting the filename parameter to prevent directory traversal. The CVSS 3.1 base score is 4.3, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges (authenticated user), and no user interaction. There are no known exploits in the wild as of the publication date. This vulnerability highlights the importance of strict input validation and access control in CMS components that handle file paths.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive files on servers running vulnerable versions of Statamic CMS. Attackers with authenticated Control Panel access can read configuration files and data files that may contain sensitive information such as API keys, database credentials, or internal configuration details. This can lead to further attacks such as privilege escalation, lateral movement, or data breaches. However, since the vulnerability does not allow file modification or deletion, it does not directly impact system integrity or availability. The requirement for authenticated access limits the attack surface to users who already have some level of trust or access, such as employees or contractors, but it could also be exploited if credentials are compromised or weak. Organizations relying on Statamic CMS for their websites or internal portals may face data confidentiality risks, reputational damage, and compliance issues if sensitive information is exposed. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits in the future.

1. Upgrade Statamic CMS to version 5.73.14 or later, or 6.7.0 or later, where the vulnerability is patched. 2. Restrict Control Panel access strictly to trusted and necessary users, employing strong authentication mechanisms such as multi-factor authentication (MFA). 3. Audit existing user accounts and permissions to minimize the number of users with Control Panel access. 4. Monitor logs for unusual file access patterns or attempts to manipulate the filename parameter in the fieldtype endpoint. 5. Implement web application firewalls (WAF) with rules to detect and block directory traversal attempts targeting the vulnerable endpoints. 6. Review and secure sensitive configuration files by limiting their readability to necessary system processes and users. 7. Conduct regular security assessments and code reviews focusing on input validation and path handling in custom CMS extensions or plugins. 8. Educate administrators and developers about the risks of path traversal vulnerabilities and secure coding practices.