CVE-2026-33884 is an incorrect authorization vulnerability (CWE-863) affecting Statamic CMS, a Laravel and Git-powered content management system. The flaw exists in versions prior to 5.73.16 and 6.7.2, where an authenticated Control Panel user with live preview permissions can exploit the live preview token mechanism to access restricted content that the token was not intended to expose. This occurs because the system fails to properly enforce authorization checks on the live preview tokens, allowing privilege escalation within the CMS content preview functionality. The vulnerability requires the attacker to have authenticated access to the Control Panel with live preview rights but does not require additional user interaction. The attack vector is network-based, and the vulnerability impacts confidentiality by exposing sensitive or restricted content. No impact on integrity or availability has been reported. The issue was addressed by strengthening authorization checks in the live preview token handling in versions 5.73.16 and 6.7.2. There are no known exploits in the wild as of the publication date, but the vulnerability presents a risk to organizations using affected versions of Statamic CMS, especially those hosting sensitive or confidential content.

The primary impact of this vulnerability is unauthorized disclosure of restricted content within Statamic CMS installations. Attackers with authenticated Control Panel access and live preview permissions can bypass intended content access controls, potentially exposing sensitive or confidential information. This can lead to information leakage, which may facilitate further attacks such as social engineering or targeted exploitation. Since the vulnerability does not affect data integrity or system availability, the risk is confined to confidentiality breaches. Organizations relying on Statamic CMS for content management, especially those handling sensitive data or regulated information, face increased risk of data exposure. The medium CVSS score reflects the moderate severity due to the requirement for authenticated access and limited scope of impact. However, in environments where many users have live preview access or where content sensitivity is high, the impact could be significant.

To mitigate this vulnerability, organizations should promptly upgrade Statamic CMS to version 5.73.16 or later, or 6.7.2 or later, where the authorization checks for live preview tokens have been corrected. Additionally, organizations should audit user permissions within the Control Panel to ensure that only trusted users have live preview access, minimizing the risk of misuse. Implementing strict access controls and monitoring Control Panel user activities can help detect any unauthorized attempts to access restricted content. If immediate patching is not feasible, consider temporarily disabling live preview functionality or restricting it to a minimal set of users. Regularly review CMS logs for unusual access patterns related to live preview tokens. Finally, maintain an up-to-date inventory of CMS versions deployed across the organization to ensure timely patch management.