CVE-2026-32104

Name of the Vulnerable Software and Affected Versions StudioCMS versions prior to 0.4.3

Description StudioCMS is a server-side-rendered, Astro native, headless content management system. The updateUserNotifications API endpoint ('/studiocms api/dashboard/update-user-notifications') accepts a user ID (id) from the request payload to update a user's notification preferences. The system verifies that the caller is logged in but does not confirm if the caller has ownership of the target account. This allows any authenticated user to modify the notification preferences of any other user, including disabling admin notifications to hinder the detection of malicious activities. The vulnerable code resides in packages/studiocms/frontend/pages/studiocms api/ handlers/dashboard/users.ts:257-311. The updateUserNotifications function uses the attacker-controlled id parameter to update user data, bypassing proper authorization checks.

Recommendations Versions prior to 0.4.3 should be updated to version 0.4.3 or later. Add an ownership check to the updateUserNotifications handler in packages/studiocms/frontend/pages/studiocms api/ handlers/dashboard/users.ts to ensure that users can only modify their own notification preferences or that administrators can modify any user's preferences. Specifically, add the following check after the login check: 'if (id !== userData.user?.id && !userData.userPermissionLevel.isAdmin)'.