CVE-2026-32638

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API `getUsers` endpoint in StudioCMS uses the attacker-controlled `rank` query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token can request `rank=owner` and receive owner account records, including IDs, usernames, display names, and email addresses, even though the adjacent `getUser` endpoint correctly blocks admins from viewing owner users. This is an authorization inconsistency inside the same user-management surface. Version 0.4.4 fixes the issue.

CVSS v3 2.7 LOW

2.7^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/withstudiocms/studiocms/commit/aebe8bcb3618bb07c6753e3f5c982c1fe6adea64	Patch
https://github.com/withstudiocms/studiocms/releases/tag/studiocms@0.4.4	Product Release Notes
https://github.com/withstudiocms/studiocms/security/advisories/GHSA-xvf4-ch4q-2m24	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:studiocms:studiocms:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-18 21:16

Updated : 2026-03-19 18:40

NVD link : CVE-2026-32638

Mitre link : CVE-2026-32638

CVE.ORG link : CVE-2026-32638

JSON object : View

Products Affected

studiocms

studiocms

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2026-32638", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.2}]}, "published": "2026-03-18T21:16:26.770", "references": [{"url": "https://github.com/withstudiocms/studiocms/commit/aebe8bcb3618bb07c6753e3f5c982c1fe6adea64", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/withstudiocms/studiocms/releases/tag/studiocms@0.4.4", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-xvf4-ch4q-2m24", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API `getUsers` endpoint in StudioCMS uses the attacker-controlled `rank` query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token can request `rank=owner` and receive owner account records, including IDs, usernames, display names, and email addresses, even though the adjacent `getUser` endpoint correctly blocks admins from viewing owner users. This is an authorization inconsistency inside the same user-management surface. Version 0.4.4 fixes the issue."}, {"lang": "es", "value": "StudioCMS es un sistema de gesti\u00f3n de contenido sin cabeza, nativo de Astro y renderizado en el lado del servidor. Antes de la versi\u00f3n 0.4.4, el endpoint `getUsers` de la API REST en StudioCMS utiliza el par\u00e1metro de consulta `rank` controlado por el atacante para decidir si las cuentas de propietario deben filtrarse del conjunto de resultados. Como resultado, un token de administrador puede solicitar `rank=owner` y recibir registros de cuentas de propietario, incluyendo IDs, nombres de usuario, nombres para mostrar y direcciones de correo electr\u00f3nico, a pesar de que el endpoint adyacente `getUser` bloquea correctamente a los administradores para que no vean a los usuarios propietarios. Esto es una inconsistencia de autorizaci\u00f3n dentro de la misma superficie de gesti\u00f3n de usuarios. La versi\u00f3n 0.4.4 soluciona el problema."}], "lastModified": "2026-03-19T18:40:31.577", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:studiocms:studiocms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EF77B4D2-70E1-4F62-AE18-5726017098A2", "versionEndExcluding": "0.4.4"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}