CVE-2026-33884: CWE-863: Incorrect Authorization in statamic cms
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. This has been fixed in 5.73.16 and 6.7.2.
AI Analysis
Technical Summary
Statamic CMS versions before 5.73.16 and 6.7.2 contain an authorization flaw (CWE-863) where an authenticated user with live preview permissions can leverage a live preview token to access restricted content not meant for them. This vulnerability allows unauthorized read access to certain content within the CMS. The issue was fixed in versions 5.73.16 and 6.7.2. The CVSS 3.1 base score is 4.3, reflecting a network attack vector with low complexity, requiring privileges but no user interaction, and resulting in limited confidentiality impact without integrity or availability effects.
Potential Impact
An authenticated Control Panel user with live preview access could view restricted content that should be inaccessible to them. The impact is limited to confidentiality loss of some content within the CMS. There is no impact on integrity or availability. No known exploits have been reported.
Mitigation Recommendations
Upgrade Statamic CMS to version 5.73.16 or later, or 6.7.2 or later, where this authorization issue has been fixed. No other mitigation is indicated or required by the vendor advisory. Patch status is confirmed by the version fixes noted.
CVE-2026-33884: CWE-863: Incorrect Authorization in statamic cms
Description
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. This has been fixed in 5.73.16 and 6.7.2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Statamic CMS versions before 5.73.16 and 6.7.2 contain an authorization flaw (CWE-863) where an authenticated user with live preview permissions can leverage a live preview token to access restricted content not meant for them. This vulnerability allows unauthorized read access to certain content within the CMS. The issue was fixed in versions 5.73.16 and 6.7.2. The CVSS 3.1 base score is 4.3, reflecting a network attack vector with low complexity, requiring privileges but no user interaction, and resulting in limited confidentiality impact without integrity or availability effects.
Potential Impact
An authenticated Control Panel user with live preview access could view restricted content that should be inaccessible to them. The impact is limited to confidentiality loss of some content within the CMS. There is no impact on integrity or availability. No known exploits have been reported.
Mitigation Recommendations
Upgrade Statamic CMS to version 5.73.16 or later, or 6.7.2 or later, where this authorization issue has been fixed. No other mitigation is indicated or required by the vendor advisory. Patch status is confirmed by the version fixes noted.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-24T15:10:05.681Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c6efce3c064ed76ff462d5
Added to database: 3/27/2026, 8:59:58 PM
Last enriched: 4/4/2026, 11:02:09 AM
Last updated: 5/11/2026, 7:16:30 AM
Views: 43
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.