Cyber Resilience

CVE-2026-32101

HighPublic PoC

Published: 11 March 2026

Published
11 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
EPSS Score 0.0005 17.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32101 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Studiocms Studiocms. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).

Deeper analysis

StudioCMS, a server-side-rendered, Astro native, headless content management system, contains a vulnerability in versions prior to 0.3.1 designated as CVE-2026-32101. The issue resides in the S3 storage manager's isAuthorized() function, which is declared as async and returns a Promise<boolean>, but is invoked without await in both POST and PUT handlers. In JavaScript, a Promise object is always truthy, causing !isAuthorized(type) to always evaluate to false and fully bypass the authorization check. This flaw is classified under CWE-863 (Incorrect Authorization) with a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L).

Any authenticated user with the lowest visitor role can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants the ability to upload, delete, rename, and list all files in the associated S3 bucket, resulting in low confidentiality and availability impacts but high integrity impact.

The vulnerability is addressed in StudioCMS version 0.3.1. Additional details are available in the GitHub security advisory at https://github.com/withstudiocms/studiocms/security/advisories/GHSA-mm78-fgq8-6pgr.

EU & UK References

Vulnerability details

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.3.1, the S3 storage manager's isAuthorized() function is declared async (returns Promise<boolean>) but is called without await in both the POST and PUT handlers. Since a Promise object…

more

is always truthy in JavaScript, !isAuthorized(type) always evaluates to false, completely bypassing the authorization check. Any authenticated user with the lowest visitor role can upload, delete, rename, and list all files in the S3 bucket. This vulnerability is fixed in 0.3.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The authz bypass in the public-facing CMS (async/await flaw in isAuthorized) is directly exploitable via T1190; resulting unauthorized file ops on S3 from a low-priv account constitute T1068.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-30944Same product: Studiocms Studiocms
CVE-2026-30945Same product: Studiocms Studiocms
CVE-2026-32103Same product: Studiocms Studiocms
CVE-2026-32106Same product: Studiocms Studiocms
CVE-2026-44110Shared CWE-863
CVE-2026-24851Shared CWE-863
CVE-2026-22230Shared CWE-863
CVE-2026-32005Shared CWE-863
CVE-2026-25741Shared CWE-863
CVE-2026-28392Shared CWE-863

Affected Assets

studiocms
studiocms
≤ 0.3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly countering the complete bypass of the async isAuthorized() check in S3 POST and PUT handlers.

prevent

Requires a tamperproof reference monitor that is always invoked for access decisions, mitigating logic flaws like calling async authorization without await.

prevent

Employs least privilege to restrict visitor roles from S3 file operations, reducing the impact even if application-level authorization is bypassed.

References