CVE-2026-32106
Received Received - Intake

Privilege Escalation via Inconsistent Rank Checks in StudioCMS REST API

Vulnerability report for CVE-2026-32106, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-11

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the REST API createUser endpoint uses string-based rank checks that only block creating owner accounts, while the Dashboard API uses indexOf-based rank comparison that prevents creating users at or above your own rank. This inconsistency allows an admin to create additional admin accounts via the REST API, enabling privilege proliferation and persistence. This vulnerability is fixed in 0.4.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-11
Last Modified
2026-03-17
Generated
2026-07-07
AI Q&A
2026-03-11
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
studiocms studiocms to 0.4.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-32106 is a vulnerability in StudioCMS versions prior to 0.4.3 caused by inconsistent permission checks between its REST API and Dashboard API when creating user accounts.'}, {'type': 'paragraph', 'content': "The REST API's createUser endpoint only blocks creation of 'owner' accounts by non-owners but fails to prevent an admin from creating additional admin accounts. In contrast, the Dashboard API correctly prevents creating users with ranks equal to or higher than the caller's rank."}, {'type': 'paragraph', 'content': 'This inconsistency allows an admin to create more admin accounts via the REST API, leading to privilege proliferation and persistence.'}] [1]

Impact Analysis

This vulnerability allows an attacker with admin-level access to create additional admin accounts through the REST API without proper authorization.

As a result, it enables privilege escalation and persistence, meaning unauthorized users can gain or maintain high-level administrative privileges.

The impact includes low confidentiality, integrity, and availability risks but can lead to unauthorized administrative control over the system.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring REST API calls to the createUser endpoint, specifically POST requests to /studiocms_api/rest/v1/secure/users that create new admin accounts.'}, {'type': 'paragraph', 'content': 'You can look for suspicious creation of admin users via the REST API by inspecting logs or using network monitoring tools to detect unauthorized privilege escalation attempts.'}, {'type': 'paragraph', 'content': 'A suggested command to detect such activity could be using curl or similar tools to test the endpoint with an admin token and attempt to create an admin user, verifying if the request is improperly allowed.'}, {'type': 'list_item', 'content': 'Example curl command to test the vulnerability: curl -X POST https://your-studiocms-instance/studiocms_api/rest/v1/secure/users -H "Authorization: Bearer <admin-token>" -H "Content-Type: application/json" -d \'{"username":"testadmin","permissionLevel":"admin"}\''}, {'type': 'paragraph', 'content': 'If the above request succeeds in creating an admin user without proper authorization errors, the system is vulnerable.'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade StudioCMS to version 0.4.3 or later, where the REST API implements proper indexOf-based rank comparison to prevent unauthorized creation of admin accounts.

Until the upgrade can be applied, restrict access to the REST API createUser endpoint to only trusted users and monitor API usage closely for suspicious account creations.

Additionally, review and audit existing admin accounts to detect any unauthorized privilege proliferation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32106. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart