Moderate severityNVD Advisory· Published Feb 11, 2026· Updated Feb 12, 2026
Statamic's missing authorization allows access to assets
CVE-2026-25633
Description
Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are unable to take advantage of this. This has been fixed in 5.73.6 and 6.2.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
statamic/cmsPackagist | < 5.73.6 | 5.73.6 |
statamic/cmsPackagist | >= 6.0.0-alpha.1, < 6.2.5 | 6.2.5 |
Affected products
2Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-gwmx-9gcj-332hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25633ghsaADVISORY
- github.com/statamic/cms/commit/5a6f47246edf3a0c453727ffecbfa14333a6bc8aghsax_refsource_MISCWEB
- github.com/statamic/cms/pull/13883ghsaWEB
- github.com/statamic/cms/releases/tag/v5.73.6ghsax_refsource_MISCWEB
- github.com/statamic/cms/releases/tag/v6.2.5ghsax_refsource_MISCWEB
- github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332hghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.