CVE-2026-33882 is a vulnerability classified under CWE-20 (Improper Input Validation) and CWE-200 (Information Exposure) affecting the Statamic content management system (CMS), which is built on Laravel and Git. The issue resides in the markdown preview endpoint, which prior to versions 5.73.16 and 6.7.2, could be manipulated by an authenticated control panel user to return augmented data from arbitrary fieldtypes. The vulnerability specifically allows an attacker with control panel access to exploit the users fieldtype to retrieve sensitive user data including email addresses, encrypted passkey data, and encrypted two-factor authentication codes. This occurs because the endpoint does not properly validate input parameters controlling which fieldtypes are returned, leading to unauthorized exposure of sensitive information. The vulnerability requires authentication with control panel privileges but does not require additional user interaction. The flaw has been fixed in Statamic versions 5.73.16 and 6.7.2 by implementing proper input validation and restricting data exposure in the markdown preview endpoint. No known exploits are currently reported in the wild, but the potential for sensitive data leakage makes this a significant concern for affected users.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive user information, including email addresses, encrypted passkey data, and encrypted two-factor authentication codes. Exposure of such data can facilitate further attacks such as targeted phishing, credential cracking attempts, or bypassing multi-factor authentication mechanisms if encryption is weak or keys are compromised. Since the vulnerability requires authenticated access with control panel privileges, the risk is elevated in environments where user accounts with such privileges are compromised or granted to untrusted personnel. Organizations using affected versions of Statamic CMS risk data breaches that could undermine user privacy and trust, potentially leading to regulatory penalties and reputational damage. Although the vulnerability does not allow direct code execution or system compromise, the information leakage can be a stepping stone for more advanced attacks. The scope of affected systems includes any organization running vulnerable versions of Statamic CMS, which is used globally by businesses and developers for content management.

To mitigate this vulnerability, organizations should immediately upgrade Statamic CMS to version 5.73.16 or 6.7.2 or later, where the issue is patched. In addition to patching, organizations should audit and restrict control panel user privileges to the minimum necessary, ensuring that only trusted users have access to sensitive endpoints. Implementing strong authentication mechanisms and monitoring control panel access logs can help detect and prevent misuse. If immediate patching is not feasible, consider disabling or restricting access to the markdown preview endpoint, especially for users with elevated privileges. Regularly review and update CMS components and dependencies to reduce exposure to known vulnerabilities. Finally, encrypt sensitive data at rest and in transit using strong cryptographic standards to minimize the impact of any potential data exposure.