CVE-2026-32103
Published: 11 March 2026
Summary
CVE-2026-32103 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Studiocms Studiocms. Its CVSS base score is 6.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Per-request decision making makes it harder to bypass authorization using user-controlled keys without proper validation in the decision process.
Consistent enforcement of approved authorizations makes bypassing via user-controlled keys ineffective.
Establishing procedures for lost or compromised authenticators addresses weak password recovery mechanisms.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The authorization bypass in the authenticated admin endpoint directly enables an attacker to escalate from admin to owner account via unauthorized password reset token generation and use, matching exploitation for privilege escalation.
NVD Description
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the POST /studiocms_api/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account. The handler…
more
verifies that the caller is an admin but does not enforce role hierarchy, nor does it validate that the target userId matches the caller's identity. Combined with the POST /studiocms_api/dashboard/reset-password endpoint, this allows a complete account takeover of the highest-privileged account in the system. This vulnerability is fixed in 0.4.3.
Deeper analysisAI
StudioCMS, a server-side-rendered, Astro native, headless content management system, contains a vulnerability (CVE-2026-32103) in versions prior to 0.4.3. The issue affects the POST /studiocms_api/dashboard/create-reset-link endpoint, which permits any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account. The handler checks for admin status but fails to enforce role hierarchy or validate that the target userId matches the caller's identity, violating CWE-639 (Authorization Bypass Through User-Controlled Key) and CWE-640 (Weak Enforcement of a Single, Unique Role).
An attacker with admin privileges can exploit this remotely over the network with low complexity and no user interaction. By calling the vulnerable endpoint to create a reset token for the highest-privileged account, such as the owner, and then using the POST /studiocms_api/dashboard/reset-password endpoint, the attacker achieves complete account takeover. This grants control over the most privileged account in the system, with a CVSS v3.1 base score of 6.8 (AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N), emphasizing high integrity impact in a changed scope.
The vulnerability is addressed in StudioCMS version 0.4.3, as detailed in the GitHub security advisory at https://github.com/withstudiocms/studiocms/security/advisories/GHSA-h7vr-cg25-jf8c. Security practitioners should upgrade to the patched version and review access controls on admin endpoints to ensure proper role hierarchy and user identity validation.
Details
- CWE(s)