CVE-2026-32106
Published: 11 March 2026
Summary
CVE-2026-32106 is a medium-severity Improper Privilege Management (CWE-269) vulnerability in Studiocms Studiocms. Its CVSS base score is 4.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-32106 is an improper privilege management vulnerability (CWE-269) in StudioCMS, a server-side-rendered, Astro native, headless content management system. In versions prior to 0.4.3, the REST API createUser endpoint implements string-based rank checks that only block the creation of owner accounts. In contrast, the Dashboard API uses indexOf-based rank comparisons to prevent creating users at or equal to the caller's own rank. This inconsistency allows privilege escalation, with a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).
An authenticated administrator can exploit the vulnerability remotely with low complexity by invoking the REST API createUser endpoint to create additional admin-level accounts. Successful exploitation enables privilege proliferation by granting new accounts equivalent administrative permissions and establishes persistence in the compromised environment.
The issue is addressed in StudioCMS version 0.4.3. Additional details on the vulnerability and remediation are available in the GitHub security advisory at https://github.com/withstudiocms/studiocms/security/advisories/GHSA-wj56-g96r-673q.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11375
Vulnerability details
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the REST API createUser endpoint uses string-based rank checks that only block creating owner accounts, while the Dashboard API uses indexOf-based rank comparison that prevents creating users…
more
at or above your own rank. This inconsistency allows an admin to create additional admin accounts via the REST API, enabling privilege proliferation and persistence. This vulnerability is fixed in 0.4.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is improper privilege management in createUser REST API allowing authenticated admin to create additional admin accounts (inconsistent rank checks), directly enabling exploitation for privilege escalation (T1068) and creation of accounts to establish persistence (T1136).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces consistent authorization checks on the createUser REST endpoint so that rank-based restrictions cannot be bypassed to create equal-privilege accounts.
Requires that accounts be created only with privileges no higher than the caller's own rank, eliminating the privilege-proliferation path introduced by the inconsistent API checks.
Mandates controlled account-creation procedures and privilege assignments that would have prevented the REST API from allowing unauthorized admin accounts.