CVE-2026-33177 in Statamic
Summary
by MITRE • 03/21/2026
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint. This has been fixed in 5.73.14 and 6.7.0.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/27/2026
The vulnerability described in CVE-2026-33177 represents a critical authorization bypass flaw within the Statamic content management system that affects versions prior to 5.73.14 and 6.7.0. Statamic, being a Laravel and Git powered CMS, relies on robust access control mechanisms to protect its administrative functions, particularly those related to taxonomy term management. The flaw specifically targets the control panel user authorization system, allowing users with low privileges to circumvent standard security checks and create taxonomy terms through alternative submission paths.
This vulnerability stems from insufficient authorization validation within the field action processing endpoint, which serves as an intermediary for handling various content management operations. The technical implementation flaw allows malicious actors to submit crafted requests containing attacker-controlled field definitions that bypass the standard authorization checks typically enforced on the dedicated taxonomy term creation endpoint. The issue manifests when low-privileged users leverage the field action processing functionality to create taxonomy terms, effectively elevating their privileges without proper authentication or authorization validation.
The operational impact of this vulnerability is significant as it enables unauthorized users to manipulate taxonomy data within the CMS, potentially leading to data integrity issues, information disclosure, or even further exploitation opportunities. Attackers could create malicious taxonomy terms that might be used for phishing campaigns, content manipulation, or to establish persistent footholds within the CMS environment. The bypass affects the core authorization model of the system, undermining the principle of least privilege that should govern all administrative functions within the control panel.
From a cybersecurity perspective, this vulnerability aligns with CWE-863, which addresses "Incorrect Authorization" issues in software systems. The flaw represents a classic case of insufficient authorization checks where the system fails to properly validate user permissions before executing sensitive operations. The ATT&CK framework categorizes this as a privilege escalation technique under T1078, specifically targeting legitimate credentials and access tokens to gain elevated privileges within the application. Organizations using affected versions of Statamic should immediately implement mitigation strategies including immediate patching to versions 5.73.14 or 6.7.0, implementing additional monitoring of field action processing endpoints, and reviewing user access controls to ensure proper segregation of privileges. The fix in the patched versions addresses the authorization bypass by strengthening the validation mechanisms that enforce proper access controls on taxonomy term creation operations, ensuring that all requests are properly authenticated and authorized regardless of the submission path used.