CVE-2026-32104
Received Received - Intake
Authorization Bypass in StudioCMS updateUserNotifications Endpoint

Publication date: 2026-03-11

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account (id !== userData.user.id). Any authenticated visitor can modify notification preferences for any user, including disabling admin notifications to suppress detection of malicious activity. This vulnerability is fixed in 0.4.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32104
EUVD
EUVD-2026-11373
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
studiocms studiocms to 0.4.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-32104 is an Insecure Direct Object Reference (IDOR) vulnerability in the StudioCMS package versions up to 0.4.2. The vulnerability exists in the updateUserNotifications API endpoint, which accepts a user ID from the request payload to update that user's notification preferences."}, {'type': 'paragraph', 'content': 'While the endpoint verifies that the caller is logged in and has visitor-level permissions, it does not verify that the caller owns the target user account identified by the supplied ID. This means any authenticated user can modify notification preferences for any other user.'}, {'type': 'paragraph', 'content': 'An attacker can exploit this flaw to disable critical admin notifications, such as alerts for new user creation or account changes, which can suppress detection of malicious activities. The vulnerability is fixed in version 0.4.3 by adding an ownership check to ensure users can only modify their own notification preferences unless they have admin rights.'}] [1]

Impact Analysis

This vulnerability allows any authenticated user to modify notification settings for any other user, including administrators.

By disabling admin notifications, an attacker can suppress alerts that would normally notify administrators of suspicious or malicious activities such as new user creation, account changes, or deletions.

This suppression of notifications increases the risk that malicious actions go undetected, enabling attackers to chain further unauthorized actions with reduced risk of being discovered.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring API requests to the updateUserNotifications endpoint for suspicious activity where an authenticated user attempts to modify notification preferences for user IDs other than their own.'}, {'type': 'paragraph', 'content': 'A proof-of-concept shows that a visitor-role user can disable notifications for an admin user and receive a 200 OK response instead of a 403 Forbidden, indicating the vulnerability.'}, {'type': 'paragraph', 'content': "To detect exploitation attempts, you can log and analyze requests to the updateUserNotifications endpoint, checking if the user ID in the payload differs from the authenticated user's ID."}, {'type': 'list_item', 'content': 'Use network monitoring tools or web server logs to filter requests to the updateUserNotifications API.'}, {'type': 'list_item', 'content': "Check for HTTP POST requests where the payload contains a user ID that does not match the authenticated user's ID."}, {'type': 'list_item', 'content': "Example command using grep on server logs: grep 'updateUserNotifications' /var/log/nginx/access.log | grep -v 'user_id=<authenticated_user_id>'"}, {'type': 'list_item', 'content': 'Use API testing tools like curl or Postman to simulate requests with mismatched user IDs and observe if the server improperly allows changes.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade StudioCMS to version 0.4.3 or later, where this vulnerability is fixed.'}, {'type': 'paragraph', 'content': 'The fix involves adding an ownership check after verifying login status to ensure that users can only modify their own notification preferences unless they have admin privileges.'}, {'type': 'paragraph', 'content': "Until the upgrade can be applied, restrict access to the updateUserNotifications endpoint to trusted users or implement additional access controls to prevent unauthorized modification of other users' notification settings."}, {'type': 'list_item', 'content': 'Upgrade StudioCMS to version 0.4.3 or later.'}, {'type': 'list_item', 'content': "Implement server-side checks to verify that the user ID in the request matches the authenticated user's ID or that the user has admin rights."}, {'type': 'list_item', 'content': 'Monitor and log API requests to detect and respond to suspicious activity.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32104. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart