CVE-2026-32101

Name of the Vulnerable Software and Affected Versions StudioCMS versions prior to 0.3.1

Description StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to version 0.3.1, the isAuthorized() function within the S3 storage manager is declared as asynchronous but is called without await in both the POST and PUT handlers. Because a Promise object is always truthy in JavaScript, the authorization check is bypassed, allowing any authenticated user with the lowest visitor role to perform unauthorized actions on the S3 bucket, including uploading, deleting, renaming, and listing files. The isAuthorized() function is defined in packages/studiocms/src/handlers/storage-manager/definitions.ts:88 and implemented as async in packages/studiocms/src/handlers/storage-manager/core/effectify-astro-context.ts:32. The incorrect usage is found in packages/@studiocms/s3-storage/src/s3-storage-manager.ts at lines 200 and 372. The API endpoint ''/studiocms api/integrations/storage/manager'' is affected. The vulnerable parameter is type.

Recommendations For versions prior to 0.3.1, add await to both calls of the isAuthorized() function in packages/@studiocms/s3-storage/src/s3-storage-manager.ts on lines 200 and 372.