CVE-2026-32106

Medium CVSS: 4.7

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the REST API createUser endpoint uses string-based rank checks that only block creating owner accounts, while the Dashboard API uses indexOf-based rank comparison that prevents creating users at or above your own rank. This inconsistency allows an admin to create additional admin accounts via the REST API, enabling privilege proliferation and persistence. This vulnerability is fixed in 0.4.3.

Vendor

Studiocms

Product

Studiocms

CWE

CWE-269

Yayın Tarihi

2026-03-11 21:16:16

Güncelleme

2026-03-17 15:36:52

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-269 Studiocms MEDIUM Studiocms 2026

Referanslar

https://github.com/withstudiocms/studiocms/security/advisories/GHSA-wj56-g96r-673q

Benzer Kayıtlar

Low

CVE-2026-32638

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API `get…

High

CVE-2026-32101

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.3.1, the S3 storage ma…

Medium

CVE-2026-32103

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the POST /studioc…

Medium

CVE-2026-32104

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNot…

High

CVE-2026-30944

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocms_ap…

High

CVE-2026-30945

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studi…