CVE-2026-32101
Published: 11 March 2026
Summary
CVE-2026-32101 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Studiocms Studiocms. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Periodic review and update of procedures reduces incorrect authorization implementations over time.
Supervision identifies cases where authorization logic incorrectly permits unauthorized actions.
Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.
The authorization process and usage restrictions help prevent incorrect authorization for remote access types.
Establishing configuration and connection requirements helps ensure correct rather than incorrect authorization for wireless access.
Establishing connection authorization processes for mobile devices helps ensure authorization decisions are correctly implemented rather than incorrect.
Monitoring account use, notifying on changes, and reviewing accounts for compliance corrects incorrect authorization assignments.
Ensures authorization decisions for external system use are correctly implemented and enforced.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The authz bypass in the public-facing CMS (async/await flaw in isAuthorized) is directly exploitable via T1190; resulting unauthorized file ops on S3 from a low-priv account constitute T1068.
NVD Description
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.3.1, the S3 storage manager's isAuthorized() function is declared async (returns Promise<boolean>) but is called without await in both the POST and PUT handlers. Since a Promise object…
more
is always truthy in JavaScript, !isAuthorized(type) always evaluates to false, completely bypassing the authorization check. Any authenticated user with the lowest visitor role can upload, delete, rename, and list all files in the S3 bucket. This vulnerability is fixed in 0.3.1.
Deeper analysisAI
StudioCMS, a server-side-rendered, Astro native, headless content management system, contains a vulnerability in versions prior to 0.3.1 designated as CVE-2026-32101. The issue resides in the S3 storage manager's isAuthorized() function, which is declared as async and returns a Promise<boolean>, but is invoked without await in both POST and PUT handlers. In JavaScript, a Promise object is always truthy, causing !isAuthorized(type) to always evaluate to false and fully bypass the authorization check. This flaw is classified under CWE-863 (Incorrect Authorization) with a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L).
Any authenticated user with the lowest visitor role can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants the ability to upload, delete, rename, and list all files in the associated S3 bucket, resulting in low confidentiality and availability impacts but high integrity impact.
The vulnerability is addressed in StudioCMS version 0.3.1. Additional details are available in the GitHub security advisory at https://github.com/withstudiocms/studiocms/security/advisories/GHSA-mm78-fgq8-6pgr.
Details
- CWE(s)