CVE-2026-25633
MEDIUM4.3EPSS 0.01%Statamic CMS's missing authorization allows access to assets
Published: 2/11/2026Modified: 2/11/2026
Also known as:GHSA-gwmx-9gcj-332h
Description
### Impact Users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are unable to take advantage of this. ### Patches This has been fixed in 5.73.6 and 6.2.5.
Affected packages (1)
- Packagist/statamic/cmsfrom 0, < 5.73.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-25633
- PATCHhttps://github.com/statamic/cms
- WEBhttps://github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8a
- WEBhttps://github.com/statamic/cms/pull/13883
- WEBhttps://github.com/statamic/cms/releases/tag/v5.73.6
- WEBhttps://github.com/statamic/cms/releases/tag/v6.2.5
- WEBhttps://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h