← Back

CVE-2026-32106

nvd nist
Published: Mar 11, 2026Modified: Mar 17, 2026

JSON object

Loading...
7.2
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Exploitability: 1.2 / Impact: 5.9
Source: NVD

Description

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the REST API createUser endpoint uses string-based rank checks that only block creating owner accounts, while the Dashboard API uses indexOf-based rank comparison that prevents creating users at or above your own rank. This inconsistency allows an admin to create additional admin accounts via the REST API, enabling privilege proliferation and persistence. This vulnerability is fixed in 0.4.3.

Affected (1)

Products: Studiocms: Studiocms
Studiocms
1 product
Studiocms
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Studiocms
Before 0.4.3

Related CWEs

CWE-269
Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (1)

Source: security-advisories@github.com
ExploitVendor Advisory

Timeline

No history available yet.