Executive Summary

CVE-2026-25633 is an authorization vulnerability in the Statamic CMS before versions 5.73.6 and 6.2.5. It allows users who are logged in but do not have permission to view assets to download those assets and view their metadata. However, logged-out users and users without control panel access cannot exploit this issue.

The vulnerability exists because certain asset-related controllers (handling PDFs, SVGs, and thumbnails) did not properly check if the user had permission to view the requested asset before serving its contents. This missing authorization check allowed unauthorized access to asset files.

The issue was fixed by adding explicit authorization checks in these controllers and removing an update route that could be exploited without proper permissions.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing unauthorized users who are logged in but lack asset viewing permissions to access and download sensitive assets and their metadata from your Statamic CMS installation.

Since the vulnerability affects confidentiality only (with a CVSS score of 4.3), it does not impact the integrity or availability of your system, but it can lead to unauthorized disclosure of potentially sensitive files.

The attack requires low privileges and no user interaction, making it relatively easy for an attacker with some access to exploit.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthorized users with some level of access being able to download assets and view their metadata without proper permissions. Detection would involve monitoring access to asset-related endpoints in the Statamic CMS control panel routes.

Since the vulnerability is related to missing authorization checks on asset access, you can detect attempts by checking web server or application logs for requests to asset endpoints such as PDFs, SVGs, and thumbnails that are accessed by users without proper permissions.

Specific commands are not provided in the available resources, but general approaches include:

• Review web server access logs for unusual or unauthorized requests to asset URLs.
• Use tools like curl or wget to test asset access endpoints while authenticated as a user without asset viewing permissions to see if access is improperly granted.
• Implement application-level logging or monitoring to track asset access attempts and verify if authorization checks are enforced.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the Statamic CMS to a fixed version where the vulnerability has been addressed.

• Upgrade to Statamic CMS version 5.73.6 or later if you are using the 5.x branch.
• Upgrade to Statamic CMS version 6.2.5 or later if you are using the 6.x branch.

These versions include proper authorization checks on asset access routes, preventing unauthorized users from downloading assets or viewing their metadata.

Additionally, review user permissions to ensure that only authorized users have access to asset viewing capabilities in the control panel.

Useful 0 Not Useful 0