Statamic CMS: The Peek-a-Boo Protocol (CVE-2026-25633)
Vulnerability ID: CVE-2026-25633
CVSS Score: 4.3
Published: 2026-02-11
A granular access control failure in Statamic CMS allows authenticated Control Panel users to bypass container-specific permissions. By directly accessing asset controllers for PDFs, SVGs, and thumbnails, low-privilege users can view and download files from restricted containers (like 'Private' or 'HR') that they are explicitly denied access to in the UI.
TL;DR
Authenticated users with basic Control Panel access can view restricted assets (PDFs, SVGs, Thumbnails) by bypassing permission checks on specific controller routes. Patch involves adding missing authorization gates.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-862
- Attack Vector: Network
- CVSS: 4.3 (Medium)
- Authentication: Required (Low Privilege)
- Impact: Confidentiality Loss
- Exploit Status: Functional PoC
Affected Systems
- Statamic CMS 5.x < 5.73.6
- Statamic CMS 6.x < 6.2.5
-
Statamic CMS: < 5.73.6 (Fixed in:
5.73.6) -
Statamic CMS: >= 6.0.0-alpha.1, < 6.2.5 (Fixed in:
6.2.5)
Code Analysis
Commit: 5a6f472
Fix unauthorized viewing of assets
@@ -15,6 +15,7 @@ public function show($encoded_id)
if (! $asset) {
abort(404);
}
+
+ $this->authorize('view', $asset);
return $asset->download();
}
Exploit Details
- Theory: Direct Object Reference via Base64 encoded ID on /cp/pdfs/ endpoint.
Mitigation Strategies
- Update Statamic CMS to the latest patched version.
- Review User Roles and Permissions to ensure least privilege.
- Audit access logs for suspicious requests to asset preview endpoints.
Remediation Steps:
- Run
composer update statamic/cmsto fetch the latest version. - Verify the installed version is >= 5.73.6 or >= 6.2.5.
- Clear the application cache:
php artisan cache:clear.
References
Read the full report for CVE-2026-25633 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)