Studiocms
CVE-2026-32101
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.3.1, the S3 storage manager's isAuthorized() function is declared async (returns Promise<boolean>) but is called without await in both the POST and PUT handlers. Since a Promise object is always truthy in JavaScript, !isAuthorized(type) always evaluates to false, completely bypassing the authorization check. Any authenticated user with the lowest visitor role can upload, delete, rename, and list all files in the S3 bucket. This vulnerability is fixed in 0.3.1.
AnalysisAI
High severity vulnerability in StudioCMS. The S3 storage manager's isAuthorized() function is declared async (returns Promise<boolean>) but is called without await in both the POST and PUT handlers. Since a Promise object is always truthy in JavaScript, !isAuthorized(type) always evaluates to false, completely bypassing the authorization check. Any authenticated user with the lowest visitor role can upload, delete, rename...
Technical ContextAI
Vulnerability Type: Incorrect Authorization (CWE-863) CVSS 3.1: 7.6/10.0 — Attack Vector: Network | Complexity: Low | Privileges Required: Low | User Interaction: None Attack Techniques: Authentication Bypass Source: https://github.com/withstudiocms/studiocms Authentication bypass allows attackers to access protected resources without valid credentials.
RemediationAI
Security advisories:
- https://github.com/withstudiocms/studiocms/security/advisories/GHSA-mm78-fgq8-6pgr
Privilege escalation in StudioCMS versions prior to 0.4.0 enables authenticated Editor-level users to generate API token
StudioCMS prior to version 0.4.0 allows authenticated editors and above to revoke API tokens belonging to any user, incl
Medium severity vulnerability in StudioCMS. The POST /studiocms_api/dashboard/create-reset-link endpoint allows any auth
headless content management system. versions up to 0.2.0 is affected by authorization bypass through user-controlled key
A security vulnerability in StudioCMS (CVSS 5.4). Remediation should follow standard vulnerability management procedures
## Summary The REST API `createUser` endpoint uses string-based rank checks that only block creating `owner` accounts,
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-mm78-fgq8-6pgr