CVE-2026-32106 — MEDIUM (4.7)

Q: How severe is CVE-2026-32106?

CVE-2026-32106 has been rated MEDIUM with a CVSS base score of 4.7/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-32106?

Check the references section above for vendor advisories and patch information. Affected products include: Studiocms Studiocms.

Vulnerability Description

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the REST API createUser endpoint uses string-based rank checks that only block creating owner accounts, while the Dashboard API uses indexOf-based rank comparison that prevents creating users at or above your own rank. This inconsistency allows an admin to create additional admin accounts via the REST API, enabling privilege proliferation and persistence. This vulnerability is fixed in 0.4.3.

CVSS Score

4.7

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Studiocms	Studiocms	< 0.4.3

Related Weaknesses (CWE)

CWE-269

References

https://github.com/withstudiocms/studiocms/security/advisories/GHSA-wj56-g96r-67ExploitVendor Advisory

FAQ

What is CVE-2026-32106?

CVE-2026-32106 is a vulnerability with a CVSS score of 4.7 (MEDIUM). StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the REST API createUser endpoint uses string-based rank checks that only block creating owner acc...

How severe is CVE-2026-32106?

CVE-2026-32106 has been rated MEDIUM with a CVSS base score of 4.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-32106?

Check the references section above for vendor advisories and patch information. Affected products include: Studiocms Studiocms.