Studiocms
CVE-2026-32104
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account (id !== userData.user.id). Any authenticated visitor can modify notification preferences for any user, including disabling admin notifications to suppress detection of malicious activity. This vulnerability is fixed in 0.4.3.
AnalysisAI
A security vulnerability in StudioCMS (CVSS 5.4). Remediation should follow standard vulnerability management procedures.
Technical ContextAI
CWE-639 (Authorization Bypass (IDOR)). Affects StudioCMS.
RemediationAI
Monitor vendor channels for patch availability.
Privilege escalation in StudioCMS versions prior to 0.4.0 enables authenticated Editor-level users to generate API token
High severity vulnerability in StudioCMS. The S3 storage manager's `isAuthorized()` function is declared `async` (return
StudioCMS prior to version 0.4.0 allows authenticated editors and above to revoke API tokens belonging to any user, incl
Medium severity vulnerability in StudioCMS. The POST /studiocms_api/dashboard/create-reset-link endpoint allows any auth
headless content management system. versions up to 0.2.0 is affected by authorization bypass through user-controlled key
## Summary The REST API `createUser` endpoint uses string-based rank checks that only block creating `owner` accounts,
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-9v82-xrm4-mp52