CVE-2026-33884
Unauthorized Access via Live Preview Token in Statamic CMS
Publication date: 2026-03-27
Last updated on: 2026-04-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| statamic | statamic | to 5.73.16 (exc) |
| statamic | statamic | From 6.0.0 (inc) to 6.7.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized access to restricted content by an authenticated Control Panel user using a live preview token bypass. Such unauthorized disclosure of confidential information can impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls on access to sensitive data.
Since the vulnerability affects confidentiality by permitting unauthorized read access to restricted content, it may lead to violations of privacy and data protection requirements mandated by these regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an authenticated Control Panel user exploiting a live preview token to access restricted content. Detection would involve monitoring for unauthorized use of live preview tokens or unusual access patterns to restricted content via the Control Panel.
Since the vulnerability requires authentication and involves token misuse, detection commands could focus on inspecting logs for live preview token usage and verifying the version of the Statamic CMS installed.
- Check the Statamic CMS version to ensure it is 5.73.16 or later, or 6.7.2 or later, where the vulnerability is fixed.
- Review web server or application logs for unusual access patterns to restricted content endpoints, especially those involving live preview tokens.
- Example command to check Statamic version (run on the server hosting Statamic): php please --version
- Example command to search logs for live preview token usage (assuming Apache logs): grep 'live-preview-token' /var/log/apache2/access.log
- Monitor for authenticated Control Panel user activity accessing content entries beyond their authorization scope.
Can you explain this vulnerability to me?
CVE-2026-33884 is a moderate severity vulnerability in the Statamic CMS affecting versions prior to 5.73.16 and 6.7.2. It allows an authenticated Control Panel user who has access to the live preview feature to misuse a live preview token to access restricted content entries that the token was not intended to authorize.
This vulnerability is due to an incorrect authorization weakness (CWE-863), where the system performs authorization checks but fails to enforce them correctly, leading to unauthorized content access.
How can this vulnerability impact me? :
This vulnerability impacts the confidentiality of the system by allowing unauthorized read access to restricted content. An attacker with low privileges and network access can exploit this issue without user interaction.
However, it does not affect the integrity or availability of the system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade the statamic/cms package to version 5.73.16 or later, or 6.7.2 or later.
This update fixes the live preview token bypass that allowed unauthorized access to restricted content.