5 matches found
CVE-2026-32106
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the REST API createUser endpoint uses string-based rank checks that only block creating owner accounts, while the Dashboard API uses indexOf-based rank comparison that prevents creating users at...
EUVD-2026-11375
StudioCMS: REST API Missing Rank Check Allows Admin to Create Peer Admin Accounts...
CVE-2026-32106 StudioCMS: REST API Missing Rank Check Allows Admin to Create Peer Admin Accounts
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the REST API createUser endpoint uses string-based rank checks that only block creating owner accounts, while the Dashboard API uses indexOf-based rank comparison that prevents creating users at...
CVE-2026-32106
StudioCMS (versions before 0.4.3) has an inconsistent RBAC check: REST API createUser uses string-based checks that only block owner, while the Dashboard API uses rank-index comparison. This allows an admin to create peer-admin accounts via REST, enabling privilege proliferation. The issue is fix...
PT-2026-24822
Summary The REST API createUser endpoint uses string-based rank checks that only block creating owner accounts, while the Dashboard API uses indexOf-based rank comparison that prevents creating users at or above your own rank. This inconsistency allows an admin to create additional admin accounts...