Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-32638 is an authorization bypass vulnerability in StudioCMS's REST API, specifically in the getUsers endpoint prior to version 0.4.4."}, {'type': 'paragraph', 'content': "The vulnerability occurs because the getUsers endpoint uses an attacker-controlled query parameter `rank` to filter user accounts instead of enforcing filtering based on the caller's privilege level."}, {'type': 'paragraph', 'content': 'This flaw allows an admin token to specify `rank=owner` and retrieve owner account records, including sensitive information such as user IDs, usernames, display names, and email addresses.'}, {'type': 'paragraph', 'content': "This is an authorization inconsistency because the adjacent getUser endpoint correctly restricts admins from viewing owner accounts by comparing the caller's rank to the target user's rank."}, {'type': 'paragraph', 'content': "The issue was fixed in version 0.4.4 by changing the filtering logic to compare the caller's rank index to each candidate user's rank index, ensuring admins cannot access owner accounts."}] [2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with an admin token to enumerate owner accounts and access sensitive information such as IDs, usernames, display names, and email addresses of high-privilege users.

By bypassing intended authorization boundaries, attackers can use this information for phishing, social engineering, or targeted attacks against owner accounts.

Although the severity is rated low (CVSS 2.7), the exposure of owner account details can facilitate further attacks or privilege escalation attempts.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the StudioCMS REST API getUsers endpoint with an admin token and specifying the query parameter rank=owner. If the response includes owner account records such as IDs, usernames, display names, and email addresses, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'A suggested command to test this would be an HTTP GET request like: GET /users?rank=owner using an admin token for authentication.'}, {'type': 'paragraph', 'content': 'For example, using curl (replace <admin_token> and <studiocms_url>):'}, {'type': 'list_item', 'content': 'curl -H "Authorization: Bearer <admin_token>" "https://<studiocms_url>/users?rank=owner"'}, {'type': 'paragraph', 'content': 'If the response contains owner user data, this confirms the authorization bypass vulnerability.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade StudioCMS to version 0.4.4 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': "The fix involves changing the user filtering logic in the getUsers endpoint to enforce access control based on the caller's rank rather than the user-supplied rank query parameter."}, {'type': 'paragraph', 'content': 'Until the upgrade can be applied, restrict admin tokens from making requests with the rank=owner parameter or monitor and block such requests at the network or application firewall level.'}, {'type': 'paragraph', 'content': 'Additionally, review and audit API access logs for suspicious queries attempting to enumerate owner accounts.'}] [2, 3, 1]

Useful 0 Not Useful 0