CVE-2026-33885: Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential

March 26, 2026

The external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions and authentication flows.

References

github.com/advisories/GHSA-7f74-7q5w-hj4r
github.com/statamic/cms
github.com/statamic/cms/security/advisories/GHSA-7f74-7q5w-hj4r
nvd.nist.gov/vuln/detail/CVE-2026-33885

Code Behaviors & Features

Detect and mitigate CVE-2026-33885 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →