CVE-2026-32638

Name of the Vulnerable Software and Affected Versions StudioCMS versions prior to 0.4.4

Description StudioCMS’s REST API getUsers endpoint improperly handles the rank query parameter, allowing administrators to bypass intended authorization restrictions and retrieve information about owner accounts. Specifically, an admin token can request rank=owner to receive owner account records, including IDs, usernames, display names, and email addresses, despite the getUser endpoint correctly preventing admins from viewing owner user details. This inconsistency allows for owner account enumeration, potentially enabling phishing or social engineering attacks. The vulnerable code path resides in D:/bugcrowd/studiocms/repo/packages/studiocms/frontend/pages/studiocms api/ handlers/rest-api/v1/secure.ts, lines 1605-1647, where the rank variable is used directly from the request query parameter instead of the caller’s privilege level. The API endpoint affected is /studiocms api/rest/v1/secure/users. The vulnerable parameter is rank.

Recommendations Versions prior to 0.4.4: Apply rank filtering based on the caller’s role, not on the request query parameter, and reuse the same privilege rule as getUser. Replace the existing if (rank !== 'owner') check with a check tied to user.rank rather than the query parameter.