Cyber Resilience

CVE-2026-32106

MediumPublic PoC

Published: 11 March 2026

Published
11 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v3.1 4.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0003 7.4th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32106 is a medium-severity Improper Privilege Management (CWE-269) vulnerability in Studiocms Studiocms. Its CVSS base score is 4.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-32106 is an improper privilege management vulnerability (CWE-269) in StudioCMS, a server-side-rendered, Astro native, headless content management system. In versions prior to 0.4.3, the REST API createUser endpoint implements string-based rank checks that only block the creation of owner accounts. In contrast, the Dashboard API uses indexOf-based rank comparisons to prevent creating users at or equal to the caller's own rank. This inconsistency allows privilege escalation, with a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).

An authenticated administrator can exploit the vulnerability remotely with low complexity by invoking the REST API createUser endpoint to create additional admin-level accounts. Successful exploitation enables privilege proliferation by granting new accounts equivalent administrative permissions and establishes persistence in the compromised environment.

The issue is addressed in StudioCMS version 0.4.3. Additional details on the vulnerability and remediation are available in the GitHub security advisory at https://github.com/withstudiocms/studiocms/security/advisories/GHSA-wj56-g96r-673q.

EU & UK References

Vulnerability details

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the REST API createUser endpoint uses string-based rank checks that only block creating owner accounts, while the Dashboard API uses indexOf-based rank comparison that prevents creating users…

more

at or above your own rank. This inconsistency allows an admin to create additional admin accounts via the REST API, enabling privilege proliferation and persistence. This vulnerability is fixed in 0.4.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1136 Create Account Persistence
Adversaries may create an account to maintain access to victim systems.
Why these techniques?

Vulnerability is improper privilege management in createUser REST API allowing authenticated admin to create additional admin accounts (inconsistent rank checks), directly enabling exploitation for privilege escalation (T1068) and creation of accounts to establish persistence (T1136).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-30944Same product: Studiocms Studiocms
CVE-2026-32103Same product: Studiocms Studiocms
CVE-2026-32101Same product: Studiocms Studiocms
CVE-2026-30945Same product: Studiocms Studiocms
CVE-2026-27198Shared CWE-269
CVE-2025-13618Shared CWE-269
CVE-2025-6994Shared CWE-269
CVE-2024-44250Shared CWE-269
CVE-2024-53706Shared CWE-269
CVE-2025-66374Shared CWE-269

Affected Assets

studiocms
studiocms
≤ 0.4.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces consistent authorization checks on the createUser REST endpoint so that rank-based restrictions cannot be bypassed to create equal-privilege accounts.

prevent

Requires that accounts be created only with privileges no higher than the caller's own rank, eliminating the privilege-proliferation path introduced by the inconsistent API checks.

prevent

Mandates controlled account-creation procedures and privilege assignments that would have prevented the REST API from allowing unauthorized admin accounts.

References