CVE-2026-33885 is an open redirect vulnerability classified under CWE-601 found in the Statamic content management system (CMS), which is built on Laravel and Git. The vulnerability exists in versions prior to 5.73.16 and 6.7.2, where the external URL detection mechanism used for redirect validation on unauthenticated endpoints can be bypassed. This flaw allows attackers to craft URLs that redirect users to arbitrary external websites following actions such as form submissions or authentication flows. Because the redirect validation is bypassed, users may be unknowingly sent to malicious sites, facilitating phishing attacks, malware distribution, or credential harvesting. The vulnerability does not require authentication but does require user interaction (clicking a link or submitting a form). The CVSS v3.1 score is 6.1, indicating a medium severity level with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality and integrity but not availability. The scope is changed (S:C) because the vulnerability affects resources beyond the vulnerable component. Although no known exploits are reported in the wild, the vulnerability poses a significant risk due to the common use of redirects in web applications and the potential for social engineering. The issue has been resolved in Statamic versions 5.73.16 and 6.7.2 by improving the external URL detection logic to prevent bypasses. Organizations running affected versions should upgrade promptly to mitigate risk.

The primary impact of CVE-2026-33885 is the potential for attackers to redirect users to malicious external websites without authentication, leveraging the open redirect flaw. This can lead to successful phishing campaigns, where users are tricked into divulging sensitive information such as login credentials or personal data. Additionally, attackers may use the redirect to deliver malware or conduct drive-by download attacks. The vulnerability affects the confidentiality and integrity of user interactions with the affected Statamic CMS sites. While the vulnerability does not directly impact system availability, the reputational damage and loss of user trust can be significant for organizations. Because the vulnerability is exploitable over the network and requires only user interaction, it can be leveraged at scale via phishing emails or malicious links. Organizations with public-facing websites using Statamic CMS versions prior to the patched releases are at risk. The scope of affected systems includes all websites running the vulnerable Statamic versions, potentially impacting a broad range of industries including e-commerce, media, and corporate websites. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers often weaponize such vulnerabilities rapidly after disclosure.

To mitigate CVE-2026-33885, organizations should immediately upgrade Statamic CMS to version 5.73.16 or 6.7.2 or later, where the vulnerability has been fixed by enhancing the external URL detection and redirect validation logic. In addition to patching, organizations should implement strict input validation and sanitization on all user-supplied URLs used in redirects to ensure they only point to trusted internal domains. Web application firewalls (WAFs) can be configured to detect and block suspicious redirect patterns or URLs leading to untrusted external sites. Security teams should monitor web server and application logs for unusual redirect activity or spikes in traffic to external URLs following form submissions or authentication flows. User education is critical: informing users about the risks of clicking unexpected links and verifying URLs before entering credentials can reduce the effectiveness of phishing attempts exploiting this vulnerability. For high-risk environments, consider implementing multi-factor authentication (MFA) to mitigate credential theft risks. Finally, maintain an up-to-date inventory of CMS versions deployed across the organization to ensure timely patch management and vulnerability remediation.