Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-32106 is a vulnerability in StudioCMS versions prior to 0.4.3 caused by inconsistent permission checks between its REST API and Dashboard API when creating user accounts.'}, {'type': 'paragraph', 'content': "The REST API's createUser endpoint only blocks creation of 'owner' accounts by non-owners but fails to prevent an admin from creating additional admin accounts. In contrast, the Dashboard API correctly prevents creating users with ranks equal to or higher than the caller's rank."}, {'type': 'paragraph', 'content': 'This inconsistency allows an admin to create more admin accounts via the REST API, leading to privilege proliferation and persistence.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with admin-level access to create additional admin accounts through the REST API without proper authorization.

As a result, it enables privilege escalation and persistence, meaning unauthorized users can gain or maintain high-level administrative privileges.

The impact includes low confidentiality, integrity, and availability risks but can lead to unauthorized administrative control over the system.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring REST API calls to the createUser endpoint, specifically POST requests to /studiocms_api/rest/v1/secure/users that create new admin accounts.'}, {'type': 'paragraph', 'content': 'You can look for suspicious creation of admin users via the REST API by inspecting logs or using network monitoring tools to detect unauthorized privilege escalation attempts.'}, {'type': 'paragraph', 'content': 'A suggested command to detect such activity could be using curl or similar tools to test the endpoint with an admin token and attempt to create an admin user, verifying if the request is improperly allowed.'}, {'type': 'list_item', 'content': 'Example curl command to test the vulnerability: curl -X POST https://your-studiocms-instance/studiocms_api/rest/v1/secure/users -H "Authorization: Bearer <admin-token>" -H "Content-Type: application/json" -d \'{"username":"testadmin","permissionLevel":"admin"}\''}, {'type': 'paragraph', 'content': 'If the above request succeeds in creating an admin user without proper authorization errors, the system is vulnerable.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade StudioCMS to version 0.4.3 or later, where the REST API implements proper indexOf-based rank comparison to prevent unauthorized creation of admin accounts.

Until the upgrade can be applied, restrict access to the REST API createUser endpoint to only trusted users and monitor API usage closely for suspicious account creations.

Additionally, review and audit existing admin accounts to detect any unauthorized privilege proliferation.

Useful 0 Not Useful 0