Description

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API `getUsers` endpoint in StudioCMS uses the attacker-controlled `rank` query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token can request `rank=owner` and receive owner account records, including IDs, usernames, display names, and email addresses, even though the adjacent `getUser` endpoint correctly blocks admins from viewing owner users. This is an authorization inconsistency inside the same user-management surface. Version 0.4.4 fixes the issue.

INFO

Published Date :

2026-03-18T20:41:14.034Z

Last Modified :

2026-03-19T15:01:00.396Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-32638 vulnerability.

Vendors Products
Studiocms
  • Studiocms
Withstudiocms
  • Studiocms
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32638.

URL Resource
https://github.com/withstudiocms/studiocms/commit/aebe8bcb3618bb07c6753e3f5c982c1fe6adea64 cve-icon cve-icon
https://github.com/withstudiocms/studiocms/releases/tag/[email protected] cve-icon cve-icon
https://github.com/withstudiocms/studiocms/security/advisories/GHSA-xvf4-ch4q-2m24 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact