Compliance Impact

This vulnerability exposes sensitive user information including email addresses, encrypted passkey data, and encrypted two-factor authentication codes. Such exposure of personal and security-related data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information.

The improper input validation allowing unauthorized data exposure represents a risk to confidentiality, a core principle in these regulations. Organizations using affected versions of Statamic CMS may face compliance issues if this vulnerability is exploited and sensitive data is disclosed.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-33882 is a moderate severity vulnerability affecting the Statamic CMS versions prior to 5.73.16 and 6.7.2. The issue exists in the markdown preview endpoint, which can be manipulated by an authenticated control panel user to return augmented data from arbitrary fieldtypes.

Specifically, when exploited with the users fieldtype, this vulnerability allows exposure of sensitive user information including email addresses, encrypted passkey data, and encrypted two-factor authentication codes.

The root cause is improper input validation (CWE-20), where the system fails to correctly validate input data, enabling unauthorized data exposure.

The attack requires network access, low privileges, and no user interaction, making it relatively easy to exploit.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a high confidentiality loss by exposing sensitive user data such as email addresses, encrypted passkey data, and encrypted two-factor authentication codes.

An attacker with authenticated control panel access could retrieve this sensitive information, potentially leading to further attacks or unauthorized access.

However, the vulnerability does not affect the integrity or availability of the system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves manipulation of the markdown preview endpoint by an authenticated control panel user to access sensitive data. Detection would involve monitoring access to this specific endpoint and looking for unusual or unauthorized requests that attempt to retrieve augmented data from arbitrary fieldtypes, especially the users fieldtype.

Since the vulnerability requires authentication and targets a specific endpoint, commands to detect exploitation attempts could include inspecting web server logs or application logs for suspicious POST or GET requests to the markdown preview endpoint.

• Use grep or similar tools to search logs for requests to the markdown preview endpoint, e.g., `grep "/markdown/preview" /var/log/nginx/access.log`
• Check for unusual parameters or payloads in requests to the markdown preview endpoint that might indicate attempts to access user fieldtype data.
• Monitor authenticated user activity for unexpected access patterns or data retrieval from the control panel.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the statamic/cms package to version 5.73.16 or 6.7.2 or later, where this vulnerability has been fixed.

Until the upgrade can be applied, restrict access to the control panel and the markdown preview endpoint to only trusted authenticated users.

Review and tighten authentication and authorization controls to ensure that only necessary users have access to sensitive endpoints.

Monitor logs for suspicious activity targeting the markdown preview endpoint and respond promptly to any detected exploitation attempts.

Useful 0 Not Useful 0