CVE-2026-32101
Published: 11 March 2026
Summary
CVE-2026-32101 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Studiocms Studiocms. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Deeper analysis
StudioCMS, a server-side-rendered, Astro native, headless content management system, contains a vulnerability in versions prior to 0.3.1 designated as CVE-2026-32101. The issue resides in the S3 storage manager's isAuthorized() function, which is declared as async and returns a Promise<boolean>, but is invoked without await in both POST and PUT handlers. In JavaScript, a Promise object is always truthy, causing !isAuthorized(type) to always evaluate to false and fully bypass the authorization check. This flaw is classified under CWE-863 (Incorrect Authorization) with a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L).
Any authenticated user with the lowest visitor role can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants the ability to upload, delete, rename, and list all files in the associated S3 bucket, resulting in low confidentiality and availability impacts but high integrity impact.
The vulnerability is addressed in StudioCMS version 0.3.1. Additional details are available in the GitHub security advisory at https://github.com/withstudiocms/studiocms/security/advisories/GHSA-mm78-fgq8-6pgr.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11367
Vulnerability details
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.3.1, the S3 storage manager's isAuthorized() function is declared async (returns Promise<boolean>) but is called without await in both the POST and PUT handlers. Since a Promise object…
more
is always truthy in JavaScript, !isAuthorized(type) always evaluates to false, completely bypassing the authorization check. Any authenticated user with the lowest visitor role can upload, delete, rename, and list all files in the S3 bucket. This vulnerability is fixed in 0.3.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The authz bypass in the public-facing CMS (async/await flaw in isAuthorized) is directly exploitable via T1190; resulting unauthorized file ops on S3 from a low-priv account constitute T1068.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to system resources, directly countering the complete bypass of the async isAuthorized() check in S3 POST and PUT handlers.
Requires a tamperproof reference monitor that is always invoked for access decisions, mitigating logic flaws like calling async authorization without await.
Employs least privilege to restrict visitor roles from S3 file operations, reducing the impact even if application-level authorization is bypassed.