CVE-2026-32638 Overview
StudioCMS, a server-side-rendered, Astro native, headless content management system, contains an authorization bypass vulnerability in its REST API getUsers endpoint. Prior to version 0.4.4, the endpoint uses the attacker-controlled rank query parameter to decide whether owner accounts should be filtered from the result set. This allows an admin token to request rank=owner and receive owner account records, including IDs, usernames, display names, and email addresses, even though the adjacent getUser endpoint correctly blocks admins from viewing owner users.
Critical Impact
Admin users can bypass authorization controls to enumerate owner account details, creating an authorization inconsistency within the same user-management surface that exposes sensitive account information.
Affected Products
- StudioCMS versions prior to 0.4.4
Discovery Timeline
- 2026-03-18 - CVE-2026-32638 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-32638
Vulnerability Analysis
This vulnerability represents an Insecure Direct Object Reference (IDOR) and Broken Access Control issue (CWE-639) within StudioCMS's REST API user management functionality. The core problem stems from an authorization inconsistency where two related API endpoints implement different access control logic for the same resource type.
The getUsers endpoint accepts a user-controlled rank query parameter that directly influences the data filtering logic. When an admin user supplies rank=owner, the flawed implementation would include owner accounts in the response, bypassing the intended authorization hierarchy. In contrast, the getUser endpoint correctly prevents admin users from accessing owner-level user records, creating an exploitable inconsistency.
The exposed data includes user IDs, usernames, display names, and email addresses of owner accounts—information that should be restricted from admin-level users according to the application's permission model.
Root Cause
The root cause is improper implementation of role-based access control in the getUsers REST API handler. The vulnerable code relied on the attacker-controlled rank parameter to determine filtering behavior rather than enforcing access controls based on the authenticated user's actual permission level. The filtering logic checked if (rank !== 'owner') to exclude owner accounts, meaning attackers could simply supply rank=owner to bypass this filter entirely.
Attack Vector
An attacker with admin-level API credentials can exploit this vulnerability by crafting a malicious API request to the getUsers endpoint with the rank=owner query parameter. This network-accessible attack requires high privileges (admin token) but no user interaction, allowing unauthorized enumeration of owner account details that should be protected from admin users.
The attack is straightforward: authenticate with an admin API token and append ?rank=owner to the getUsers endpoint URL to retrieve owner account information.
The security patch implements proper authorization by filtering users based on the authenticated user's rank index rather than relying on user-supplied parameters:
// Before (vulnerable):
if (rank !== 'owner') {
data = data.filter((user) => user.rank !== 'owner');
}
// After (fixed):
const loggedInUserRankIndex = availablePermissionRanks.indexOf(user.rank);
data = data.filter((candidate) => {
const candidateRankIndex = availablePermissionRanks.indexOf(candidate.rank);
return loggedInUserRankIndex > candidateRankIndex;
});
Source: GitHub Commit Details
Detection Methods for CVE-2026-32638
Indicators of Compromise
- API requests to the getUsers endpoint containing rank=owner query parameter from admin-level tokens
- Unusual patterns of user enumeration queries from admin accounts
- Access logs showing admin tokens retrieving owner account data that should be restricted
Detection Strategies
- Monitor REST API access logs for requests to /studiocms_api/*/getUsers endpoints with rank=owner parameters
- Implement anomaly detection for admin accounts querying user management endpoints with elevated rank filters
- Review audit logs for patterns of user enumeration activity from admin-level API tokens
Monitoring Recommendations
- Enable verbose logging on the StudioCMS REST API endpoints to capture query parameters
- Set up alerts for API requests attempting to access owner-level user data with admin credentials
- Implement rate limiting and anomaly detection on user management API endpoints
How to Mitigate CVE-2026-32638
Immediate Actions Required
- Upgrade StudioCMS to version 0.4.4 or later immediately
- Review API access logs for any exploitation attempts using rank=owner query parameters
- Audit admin account activity for any unauthorized access to owner user data
- Consider rotating owner account credentials if exploitation is suspected
Patch Information
StudioCMS version 0.4.4 addresses this vulnerability by implementing proper role-based filtering that compares the authenticated user's rank against candidate users rather than relying on user-supplied query parameters. The fix ensures users can only retrieve information about accounts with lower permission levels than their own.
For patch details, see the GitHub Security Advisory GHSA-xvf4-ch4q-2m24 and the GitHub Release 0.4.4.
Workarounds
- Restrict admin API token distribution and implement strict access controls on who can obtain admin credentials
- Implement network-level access controls to limit API access to trusted sources
- Deploy a web application firewall (WAF) rule to block requests containing rank=owner query parameters to the getUsers endpoint
# Example: Update StudioCMS to patched version
npm update @studiocms/studiocms@0.4.4
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
