Compliance Impact

This vulnerability allows authenticated Control Panel users to bypass authorization checks and access entry revisions for any collection with revisions enabled, exposing entry field values and blueprint data. Such unauthorized exposure of potentially sensitive data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.

Although the vulnerability has a low confidentiality impact, the unauthorized access to data may still violate compliance requirements related to data privacy and security.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing authenticated Control Panel users to access entry revisions and sensitive data they should not have permission to see, potentially exposing confidential information.

Users without edit permissions can also create entry revisions, which may lead to unauthorized snapshots of content states, although this does not affect the published content.

Overall, the confidentiality and integrity of content data are at risk, with a CVSS base score of 5.4 indicating moderate severity.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-33887 is a moderate severity vulnerability in the Statamic CMS affecting versions prior to 5.73.16 and 6.7.2. The issue is caused by missing authorization checks in the revision controllers, which allows authenticated Control Panel users to view entry revisions for any collection with revisions enabled, regardless of their permissions for those collections.

This bypass of authorization exposes sensitive entry field values and blueprint data. Additionally, users without edit permissions can create entry revisions, which only snapshot the current content state and do not affect published content.

The vulnerability is due to CWE-862 (Missing Authorization) and was fixed in versions 5.73.16 and 6.7.2.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves missing authorization checks in the Statamic CMS revision controllers, allowing authenticated Control Panel users to access entry revisions without proper permissions.

To detect if your system is vulnerable, first verify the version of Statamic CMS you are running. Versions prior to 5.73.16 and 6.7.2 are affected.

You can check the installed version by running commands such as:

• For Composer-based installations: `composer show statamic/cms | grep versions`
• Or check the version in your Statamic Control Panel under the About or System Information section.

To detect exploitation attempts, monitor authenticated Control Panel user activity for unusual access to entry revisions of collections they do not have permissions for.

Since the vulnerability requires authenticated access, review logs for users accessing revision endpoints or creating entry revisions without edit permissions.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Statamic CMS to version 5.73.16 or 6.7.2 or later, where this vulnerability has been fixed.

Until you can upgrade, restrict Control Panel user access to trusted users only, as the vulnerability requires authenticated access.

Additionally, monitor and audit Control Panel user activities for unauthorized access to entry revisions or creation of entry revisions without proper permissions.

Consider implementing additional access controls or network restrictions to limit access to the Control Panel.

Useful 0 Not Useful 0