CVE-2026-32106
Published: 11 March 2026
Summary
CVE-2026-32106 is a medium-severity Improper Privilege Management (CWE-269) vulnerability in Studiocms Studiocms. Its CVSS base score is 4.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Policy addresses roles, responsibilities, and privilege management to prevent improper privilege assignments.
Access supervision ensures privileges are assigned and managed without improper escalation or retention.
Assigning group/role memberships and access authorizations (privileges) while reviewing accounts addresses improper privilege management.
Enforces proper privilege management by requiring all decisions through the verified reference monitor.
By mandating division of duties across roles, the control enforces proper privilege management and prevents a single entity from controlling an entire sensitive process.
Implements core proper privilege management by restricting to only required rights.
Policy requires training on privilege management and least privilege, making it harder to exploit improper privilege management weaknesses.
Training covers proper privilege management practices, making incorrect privilege assignments less likely.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is improper privilege management in createUser REST API allowing authenticated admin to create additional admin accounts (inconsistent rank checks), directly enabling exploitation for privilege escalation (T1068) and creation of accounts to establish persistence (T1136).
NVD Description
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the REST API createUser endpoint uses string-based rank checks that only block creating owner accounts, while the Dashboard API uses indexOf-based rank comparison that prevents creating users…
more
at or above your own rank. This inconsistency allows an admin to create additional admin accounts via the REST API, enabling privilege proliferation and persistence. This vulnerability is fixed in 0.4.3.
Deeper analysisAI
CVE-2026-32106 is an improper privilege management vulnerability (CWE-269) in StudioCMS, a server-side-rendered, Astro native, headless content management system. In versions prior to 0.4.3, the REST API createUser endpoint implements string-based rank checks that only block the creation of owner accounts. In contrast, the Dashboard API uses indexOf-based rank comparisons to prevent creating users at or equal to the caller's own rank. This inconsistency allows privilege escalation, with a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).
An authenticated administrator can exploit the vulnerability remotely with low complexity by invoking the REST API createUser endpoint to create additional admin-level accounts. Successful exploitation enables privilege proliferation by granting new accounts equivalent administrative permissions and establishes persistence in the compromised environment.
The issue is addressed in StudioCMS version 0.4.3. Additional details on the vulnerability and remediation are available in the GitHub security advisory at https://github.com/withstudiocms/studiocms/security/advisories/GHSA-wj56-g96r-673q.
Details
- CWE(s)