CVE-2026-32104
Authorization Bypass in StudioCMS updateUserNotifications Endpoint
Publication date: 2026-03-11
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| studiocms | studiocms | to 0.4.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-32104 is an Insecure Direct Object Reference (IDOR) vulnerability in the StudioCMS package versions up to 0.4.2. The vulnerability exists in the updateUserNotifications API endpoint, which accepts a user ID from the request payload to update that user's notification preferences."}, {'type': 'paragraph', 'content': 'While the endpoint verifies that the caller is logged in and has visitor-level permissions, it does not verify that the caller owns the target user account identified by the supplied ID. This means any authenticated user can modify notification preferences for any other user.'}, {'type': 'paragraph', 'content': 'An attacker can exploit this flaw to disable critical admin notifications, such as alerts for new user creation or account changes, which can suppress detection of malicious activities. The vulnerability is fixed in version 0.4.3 by adding an ownership check to ensure users can only modify their own notification preferences unless they have admin rights.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows any authenticated user to modify notification settings for any other user, including administrators.
By disabling admin notifications, an attacker can suppress alerts that would normally notify administrators of suspicious or malicious activities such as new user creation, account changes, or deletions.
This suppression of notifications increases the risk that malicious actions go undetected, enabling attackers to chain further unauthorized actions with reduced risk of being discovered.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring API requests to the updateUserNotifications endpoint for suspicious activity where an authenticated user attempts to modify notification preferences for user IDs other than their own.'}, {'type': 'paragraph', 'content': 'A proof-of-concept shows that a visitor-role user can disable notifications for an admin user and receive a 200 OK response instead of a 403 Forbidden, indicating the vulnerability.'}, {'type': 'paragraph', 'content': "To detect exploitation attempts, you can log and analyze requests to the updateUserNotifications endpoint, checking if the user ID in the payload differs from the authenticated user's ID."}, {'type': 'list_item', 'content': 'Use network monitoring tools or web server logs to filter requests to the updateUserNotifications API.'}, {'type': 'list_item', 'content': "Check for HTTP POST requests where the payload contains a user ID that does not match the authenticated user's ID."}, {'type': 'list_item', 'content': "Example command using grep on server logs: grep 'updateUserNotifications' /var/log/nginx/access.log | grep -v 'user_id=<authenticated_user_id>'"}, {'type': 'list_item', 'content': 'Use API testing tools like curl or Postman to simulate requests with mismatched user IDs and observe if the server improperly allows changes.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade StudioCMS to version 0.4.3 or later, where this vulnerability is fixed.'}, {'type': 'paragraph', 'content': 'The fix involves adding an ownership check after verifying login status to ensure that users can only modify their own notification preferences unless they have admin privileges.'}, {'type': 'paragraph', 'content': "Until the upgrade can be applied, restrict access to the updateUserNotifications endpoint to trusted users or implement additional access controls to prevent unauthorized modification of other users' notification settings."}, {'type': 'list_item', 'content': 'Upgrade StudioCMS to version 0.4.3 or later.'}, {'type': 'list_item', 'content': "Implement server-side checks to verify that the user ID in the request matches the authenticated user's ID or that the user has admin rights."}, {'type': 'list_item', 'content': 'Monitor and log API requests to detect and respond to suspicious activity.'}] [1]