Cyber Resilience

CVE-2026-32103

MediumPublic PoC

Published: 11 March 2026

Published
11 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v3.1 6.8 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N
EPSS Score 0.0002 5.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32103 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Studiocms Studiocms. Its CVSS base score is 6.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

StudioCMS, a server-side-rendered, Astro native, headless content management system, contains a vulnerability (CVE-2026-32103) in versions prior to 0.4.3. The issue affects the POST /studiocms_api/dashboard/create-reset-link endpoint, which permits any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account. The handler checks for admin status but fails to enforce role hierarchy or validate that the target userId matches the caller's identity, violating CWE-639 (Authorization Bypass Through User-Controlled Key) and CWE-640 (Weak Enforcement of a Single, Unique Role).

An attacker with admin privileges can exploit this remotely over the network with low complexity and no user interaction. By calling the vulnerable endpoint to create a reset token for the highest-privileged account, such as the owner, and then using the POST /studiocms_api/dashboard/reset-password endpoint, the attacker achieves complete account takeover. This grants control over the most privileged account in the system, with a CVSS v3.1 base score of 6.8 (AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N), emphasizing high integrity impact in a changed scope.

The vulnerability is addressed in StudioCMS version 0.4.3, as detailed in the GitHub security advisory at https://github.com/withstudiocms/studiocms/security/advisories/GHSA-h7vr-cg25-jf8c. Security practitioners should upgrade to the patched version and review access controls on admin endpoints to ensure proper role hierarchy and user identity validation.

EU & UK References

Vulnerability details

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the POST /studiocms_api/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account. The handler…

more

verifies that the caller is an admin but does not enforce role hierarchy, nor does it validate that the target userId matches the caller's identity. Combined with the POST /studiocms_api/dashboard/reset-password endpoint, this allows a complete account takeover of the highest-privileged account in the system. This vulnerability is fixed in 0.4.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The authorization bypass in the authenticated admin endpoint directly enables an attacker to escalate from admin to owner account via unauthorized password reset token generation and use, matching exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-30944Same product: Studiocms Studiocms
CVE-2026-32101Same product: Studiocms Studiocms
CVE-2026-32106Same product: Studiocms Studiocms
CVE-2026-30945Same product: Studiocms Studiocms
CVE-2026-38807Shared CWE-639
CVE-2026-2697Shared CWE-639
CVE-2026-5617Shared CWE-639
CVE-2026-41906Shared CWE-639
CVE-2026-8629Shared CWE-639
CVE-2026-0020Shared CWE-639

Affected Assets

studiocms
studiocms
≤ 0.4.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces that the create-reset-link handler must validate both the caller's admin role and that the target userId is within the caller's authorized scope, blocking the unauthorized token generation for higher-privileged accounts.

prevent

Requires that admin accounts receive only the minimum privileges needed, explicitly preventing an admin from generating reset tokens for the owner or other superior accounts.

prevent

Enforces separation between distinct administrative roles so that a lower-tier admin cannot perform password-reset actions reserved for the owner account.

References