CVE-2026-24134

Published: Jan 28, 2026Modified: Mar 17, 2026

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: security-advisories@github.com (Secondary)

Description

StudioCMS is a server-side-rendered, Astro native, headless content management system. Versions prior to 0.2.0 contain a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the "Visitor" role to access draft content created by Editor/Admin/Owner users. Version 0.2.0 patches the issue.

Affected (1)

Products: Studiocms: Studiocms

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Studiocms Studiocms	Before 0.2.0

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (3)

https://github.com/withstudiocms/studiocms/commit/efc10bee20db090fdd75463622c30dda390c50ad

Source: security-advisories@github.com

Patch

https://github.com/withstudiocms/studiocms/releases/tag/studiocms%400.2.0

Source: security-advisories@github.com

Release Notes

https://github.com/withstudiocms/studiocms/security/advisories/GHSA-8cw6-53m5-4932

Source: security-advisories@github.com

ExploitVendor Advisory

Timeline

No history available yet.