Statamic is missing authorization check on taxonomy term creation via fieldtype
Description
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint. This has been fixed in 5.73.14 and 6.7.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Low-privileged Statamic Control Panel users can create taxonomy terms by exploiting a missing authorization check in the field action processing endpoint.
Vulnerability
Overview
CVE-2026-33177 is an authorization bypass vulnerability in Statamic, a Laravel and Git powered CMS. Prior to versions 5.73.14 and 6.0 and 6.7.0, the field action processing endpoint did not properly verify that the requesting user had permission to create taxonomy terms. By submitting crafted requests with attacker-controlled field definitions, low-privileged Control Panel users could bypass the authorization checks enforced on the standard taxonomy term creation endpoint [1][3].
Exploitation
An attacker must have a valid Control Panel user account with low privileges. No special network position is required beyond access to the Control Panel. The attack is performed by sending a specially crafted request to the field action processing endpoint, including arbitrary field definitions that the endpoint would process without verifying the user's authorization to create taxonomy terms [1][3].
Impact
Successful exploitation allows an attacker to create taxonomy terms that they would not normally be permitted to create. This could lead to unauthorized content manipulation within the CMS, potentially affecting the integrity of the site's taxonomy structure [1][3].
Mitigation
The vulnerability has been fixed in Statamic versions 5.73.14.0 and 6.7.0. Users running earlier versions should upgrade immediately to one of the patched releases [1][3].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
statamic/cmsPackagist | >= 6.0.0-alpha.1, < 6.7.0 | 6.7.0 |
statamic/cmsPackagist | < 5.73.14 | 5.73.14 |
Affected products
2- statamic/cmsv5Range: >= 6.0.0-alpha.1, < 6.7.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-wh3h-gvc4-cc2gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33177ghsaADVISORY
- github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2gghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.