CVE-2026-32104

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account (id !== userData.user.id). Any authenticated visitor can modify notification preferences for any user, including disabling admin notifications to suppress detection of malicious activity. This vulnerability is fixed in 0.4.3.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/withstudiocms/studiocms/security/advisories/GHSA-9v82-xrm4-mp52	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:studiocms:studiocms:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-11 21:16

Updated : 2026-03-17 15:35

NVD link : CVE-2026-32104

Mitre link : CVE-2026-32104

CVE.ORG link : CVE-2026-32104

JSON object : View

Products Affected

studiocms

studiocms

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2026-32104", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2026-03-11T21:16:16.457", "references": [{"url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-9v82-xrm4-mp52", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account (id !== userData.user.id). Any authenticated visitor can modify notification preferences for any user, including disabling admin notifications to suppress detection of malicious activity. This vulnerability is fixed in 0.4.3."}, {"lang": "es", "value": "StudioCMS es un sistema de gesti\u00f3n de contenido sin cabeza, nativo de Astro y renderizado en el lado del servidor. Antes de la versi\u00f3n 0.4.3, el endpoint updateUserNotifications acepta un ID de usuario del payload de la solicitud y lo utiliza para actualizar las preferencias de notificaci\u00f3n de ese usuario. Verifica que el llamador ha iniciado sesi\u00f3n, pero nunca verifica que el llamador es propietario de la cuenta objetivo (id !== userData.user.id). Cualquier visitante autenticado puede modificar las preferencias de notificaci\u00f3n para cualquier usuario, incluyendo la desactivaci\u00f3n de las notificaciones de administrador para suprimir la detecci\u00f3n de actividad maliciosa. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 0.4.3."}], "lastModified": "2026-03-17T15:35:38.860", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:studiocms:studiocms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BD3D1012-B2EE-465F-8398-96C5B01C1399", "versionEndExcluding": "0.4.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}