Studiocms
CVE-2026-32103
MEDIUM
Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the POST /studiocms_api/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account. The handler verifies that the caller is an admin but does not enforce role hierarchy, nor does it validate that the target userId matches the caller's identity. Combined with the POST /studiocms_api/dashboard/reset-password endpoint, this allows a complete account takeover of the highest-privileged account in the system. This vulnerability is fixed in 0.4.3.
AnalysisAI
Medium severity vulnerability in StudioCMS. The POST /studiocms_api/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account. The handler verifies that the caller is an admin but does not enforce role hierarchy, nor does it validate that the target userId matches the caller's identity. Combined with the POST /studiocms_api/d...
Technical ContextAI
Vulnerability Type: Authorization Bypass Through User-Controlled Key (CWE-639) CVSS 3.1: 6.8/10.0 — Attack Vector: Network | Complexity: Low | Privileges Required: High | User Interaction: None Attack Techniques: Authentication Bypass Source: https://github.com/withstudiocms/studiocms Authentication bypass allows attackers to access protected resources without valid credentials.
RemediationAI
Security advisories:
- https://github.com/withstudiocms/studiocms/security/advisories/GHSA-h7vr-cg25-jf8c
Update to the latest patched version as soon as possible.
Privilege escalation in StudioCMS versions prior to 0.4.0 enables authenticated Editor-level users to generate API token
High severity vulnerability in StudioCMS. The S3 storage manager's `isAuthorized()` function is declared `async` (return
StudioCMS prior to version 0.4.0 allows authenticated editors and above to revoke API tokens belonging to any user, incl
headless content management system. versions up to 0.2.0 is affected by authorization bypass through user-controlled key
A security vulnerability in StudioCMS (CVSS 5.4). Remediation should follow standard vulnerability management procedures
## Summary The REST API `createUser` endpoint uses string-based rank checks that only block creating `owner` accounts,
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-h7vr-cg25-jf8c