CVE-2026-24134

Name of the Vulnerable Software and Affected Versions StudioCMS versions prior to 0.2.0

Description StudioCMS contains a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature. This allows users with the "Visitor" role to access draft content created by Editor, Admin, or Owner users. The issue stems from insufficient validation within the /dashboard/content-management/edit?edit={UUID} endpoint. Specifically, the endpoint does not verify the user's role or content ownership before granting access. A user with the "Visitor" role can access draft content by directly accessing the edit URL with the content's UUID. The vulnerable parameter is edit, which accepts a UUID. This can lead to information disclosure, privacy violations, and potential business impacts due to the exposure of unpublished drafts containing sensitive information.

Recommendations Versions prior to 0.2.0 should be updated to version 0.2.0 or later.