CVE-2026-33171 in Statamic
Summary
by MITRE • 03/21/2026
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, authenticated Control Panel users could read arbitrary `.json`, `.yaml`, and `.csv` files from the server by manipulating the file dictionary's `filename` configuration parameter in the fieldtype's endpoint. This has been fixed in 5.73.14 and 6.7.0.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/27/2026
The vulnerability identified as CVE-2026-33171 affects Statamic CMS, a content management system built on Laravel and Git technologies that serves as a foundation for web content management. This issue represents a critical access control flaw that allows authenticated users to bypass normal file system restrictions and access sensitive configuration files that should remain protected. The vulnerability specifically targets the control panel functionality of Statamic, where users with valid authentication credentials can exploit a configuration parameter manipulation technique to read arbitrary files from the server's file system. The affected versions include all releases prior to 5.73.14 and 6.7.0, indicating that this flaw has been present for an extended period and potentially exposed numerous installations to unauthorized file access.
The technical exploitation mechanism involves manipulating the `filename` configuration parameter within the fieldtype's endpoint, which controls how files are processed and accessed through the CMS interface. This manipulation allows authenticated users to specify arbitrary file paths that would normally be restricted, enabling them to read sensitive data files including json yaml and csv configuration files. The vulnerability stems from insufficient input validation and access control checks within the file handling routines of Statamic's control panel. This type of flaw falls under CWE-22 - Improper Limitation of a Pathname to a Restricted Directory, which specifically addresses the issue of allowing attackers to traverse file system paths beyond intended boundaries. The vulnerability represents a classic example of path traversal or directory traversal attacks that exploit weak input sanitization mechanisms.
The operational impact of this vulnerability is significant as it provides authenticated users with the ability to access sensitive configuration data that could contain database credentials API keys application secrets and other confidential information stored in json yaml and csv files. This access could potentially lead to further exploitation opportunities including privilege escalation, data exfiltration, and system compromise. Attackers could leverage this vulnerability to gain insights into the application's architecture and configuration, potentially identifying additional security weaknesses within the system. The fact that this affects the control panel interface means that even users with limited privileges could potentially access critical system information, making this vulnerability particularly dangerous for environments where multiple users have access to the CMS. This issue aligns with ATT&CK technique T1213 - Data from Information Repositories, which describes methods for accessing data repositories and configuration files that contain sensitive information.
The remediation for this vulnerability involves upgrading to Statamic versions 5.73.14 or 6.7.0, which contain the necessary patches to address the file path manipulation issue. Organizations should prioritize this upgrade to protect their installations from potential exploitation. Additionally, security teams should implement monitoring for unauthorized file access attempts and review control panel user permissions to ensure that only necessary users have access to potentially sensitive functionality. The fix likely involves implementing proper input validation for file path parameters and enforcing stricter access controls on file system operations within the control panel. Organizations should also conduct security reviews of their Statamic installations to identify any other potential access control issues and ensure that file system operations are properly restricted to prevent similar vulnerabilities from being introduced in the future.