CVE-2026-25633: Statamic CMS's missing authorization allows access to assets
Users without permission to view assets are able are able to download them and view their metadata.
Logged-out users and users without permission to access the control panel are unable to take advantage of this.
References
- github.com/advisories/GHSA-gwmx-9gcj-332h
- github.com/statamic/cms
- github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a
- github.com/statamic/cms/pull/13883
- github.com/statamic/cms/releases/tag/v5.73.6
- github.com/statamic/cms/releases/tag/v6.2.5
- github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h
- nvd.nist.gov/vuln/detail/CVE-2026-25633
Code Behaviors & Features
Detect and mitigate CVE-2026-25633 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →