CVE-2026-33887 is an authorization bypass vulnerability (CWE-862) affecting Statamic CMS, a Laravel and Git-powered content management system. The flaw exists in versions prior to 5.73.16 and 6.7.2, where authenticated Control Panel users can access entry revisions of any collection with revisions enabled, regardless of their assigned collection permissions. Normally, the main entry controllers enforce strict authorization checks to restrict access based on user permissions. However, this vulnerability allows bypassing those checks, exposing entry field values and blueprint data that should be restricted. Furthermore, users lacking edit permissions can create entry revisions, which only snapshot the current content state without modifying published content. The vulnerability requires authenticated access but no additional user interaction. The CVSS v3.1 score is 5.4 (medium severity), reflecting the network attack vector, low attack complexity, and privileges required. No known exploits are currently reported in the wild. The issue was publicly disclosed on March 27, 2026, and fixed in Statamic CMS versions 5.73.16 and 6.7.2. Organizations running vulnerable versions should upgrade to mitigate unauthorized data disclosure risks.

The primary impact of this vulnerability is unauthorized disclosure of sensitive content data within the CMS. Attackers with authenticated Control Panel access but limited permissions can view entry revisions and blueprint data beyond their authorization scope, potentially exposing confidential or sensitive information. Although the ability to create revisions without edit permissions does not alter published content, it may allow attackers to snapshot content states for later analysis or exploitation. This exposure can lead to information leakage, aiding further attacks such as social engineering or privilege escalation. Organizations relying on Statamic CMS for content management may face reputational damage, compliance violations, and increased risk of targeted attacks if this vulnerability is exploited. The medium severity rating reflects that while the vulnerability requires authenticated access, the scope of unauthorized data exposure and ease of exploitation pose a meaningful risk to affected deployments worldwide.

To mitigate this vulnerability, organizations should promptly upgrade Statamic CMS to version 5.73.16 or 6.7.2 or later, where the authorization checks have been properly enforced. Until upgrades can be applied, administrators should restrict Control Panel access strictly to trusted users and review user permissions to minimize exposure. Implementing strong authentication mechanisms such as multi-factor authentication (MFA) can reduce the risk of unauthorized access. Additionally, monitoring and auditing Control Panel user activities for unusual access patterns to entry revisions can help detect exploitation attempts. Organizations should also consider disabling or limiting the use of entry revisions for collections where sensitive data is stored if feasible. Regularly reviewing and updating CMS user roles and permissions to follow the principle of least privilege will further reduce risk. Finally, maintaining up-to-date backups and incident response plans will aid in recovery if exploitation occurs.