CVE-2026-32106

Name of the Vulnerable Software and Affected Versions StudioCMS versions prior to 0.4.3

Description StudioCMS is a server-side-rendered, Astro native, headless content management system. A discrepancy exists between the REST API and the Dashboard API regarding rank checks during user creation. The REST API's createUser endpoint utilizes string-based rank checks that only prevent the creation of 'owner' accounts, while the Dashboard API employs an indexOf-based rank comparison that effectively blocks the creation of users with a rank equal to or higher than the current user's rank. This inconsistency allows an administrator to create additional administrator accounts through the REST API, potentially leading to privilege proliferation and persistence. The vulnerable code resides in packages/studiocms/frontend/pages/studiocms api/ handlers/rest-api/v1/secure.ts lines 1365-1378. The API endpoint involved is /studiocms api/rest/v1/secure/users. The vulnerable parameter is rank within the request body. A proof-of-concept demonstrates that an administrator can create a new admin user via the REST API using curl and an admin-level API token, bypassing the intended authorization restrictions.

Recommendations Versions prior to 0.4.3 should be updated to version 0.4.3 or later. Replace the string-based checks with indexOf comparison in packages/studiocms/frontend/pages/studiocms api/ handlers/rest-api/v1/secure.ts.