CVE-2026-32106

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the REST API createUser endpoint uses string-based rank checks that only block creating owner accounts, while the Dashboard API uses indexOf-based rank comparison that prevents creating users at or above your own rank. This inconsistency allows an admin to create additional admin accounts via the REST API, enabling privilege proliferation and persistence. This vulnerability is fixed in 0.4.3.

CVSS v3 4.7 MEDIUM

4.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/withstudiocms/studiocms/security/advisories/GHSA-wj56-g96r-673q	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:studiocms:studiocms:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-11 21:16

Updated : 2026-03-17 15:36

NVD link : CVE-2026-32106

Mitre link : CVE-2026-32106

CVE.ORG link : CVE-2026-32106

JSON object : View

Products Affected

studiocms

studiocms

CWE

CWE-269

Improper Privilege Management

{"id": "CVE-2026-32106", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2026-03-11T21:16:16.603", "references": [{"url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-wj56-g96r-673q", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the REST API createUser endpoint uses string-based rank checks that only block creating owner accounts, while the Dashboard API uses indexOf-based rank comparison that prevents creating users at or above your own rank. This inconsistency allows an admin to create additional admin accounts via the REST API, enabling privilege proliferation and persistence. This vulnerability is fixed in 0.4.3."}, {"lang": "es", "value": "StudioCMS es un sistema de gesti\u00f3n de contenido sin cabeza, nativo de Astro y renderizado en el lado del servidor. Antes de la versi\u00f3n 0.4.3, el endpoint createUser de la API REST utiliza comprobaciones de rango basadas en cadenas que solo bloquean la creaci\u00f3n de cuentas de propietario, mientras que la API del Panel de Control utiliza una comparaci\u00f3n de rango basada en indexOf que impide la creaci\u00f3n de usuarios con un rango igual o superior al propio. Esta inconsistencia permite a un administrador crear cuentas de administrador adicionales a trav\u00e9s de la API REST, lo que permite la proliferaci\u00f3n y persistencia de privilegios. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 0.4.3."}], "lastModified": "2026-03-17T15:36:52.710", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:studiocms:studiocms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BD3D1012-B2EE-465F-8398-96C5B01C1399", "versionEndExcluding": "0.4.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}