CVE-2026-32104

MEDIUM

StudioCMS <0.4.3 - Privilege Escalation

Title source: llm

Description

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account (id !== userData.user.id). Any authenticated visitor can modify notification preferences for any user, including disabling admin notifications to suppress detection of malicious activity. This vulnerability is fixed in 0.4.3.

References (1)

[Vendor Advisory] https://github.com/withstudiocms/studiocms/security/advisories/GHSA-9v82-xrm4-mp52

Scores

CVSS v3 5.4

EPSS 0.0002

EPSS Percentile 3.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (2)

npm/studiocms 0 - 0.4.3npm

studiocms/studiocms < 0.4.3

Published Mar 11, 2026

Tracked Since Mar 12, 2026