StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens
Description
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API getUsers endpoint in StudioCMS uses the attacker-controlled rank query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token can request rank=owner and receive owner account records, including IDs, usernames, display names, and email addresses, even though the adjacent getUser endpoint correctly blocks admins from viewing owner users. This is an authorization inconsistency inside the same user-management surface. Version 0.4.4 fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
studiocmsnpm | < 0.4.4 | 0.4.4 |
Affected products
1- Range: < 0.4.4
Patches
1aebe8bcb3618fix(api): improve user filtering logic in RestApiSecureHandler (#1480)
2 files changed · +17 −7
.changeset/itchy-tips-own.md+5 −0 added@@ -0,0 +1,5 @@ +--- +"studiocms": patch +--- + +Fix user filtering logic in RestApiSecureHandler
packages/studiocms/frontend/pages/studiocms_api/_handlers/rest-api/v1/secure.ts+12 −7 modified@@ -1636,19 +1636,24 @@ export const RestApiSecureHandler = HttpApiBuilder.group( }) ); - if (rank !== 'owner') { - data = data.filter((user) => user.rank !== 'owner'); - } + const loggedInUserRankIndex = availablePermissionRanks.indexOf(user.rank); + + data = data.filter((candidate) => { + const candidateRankIndex = availablePermissionRanks.indexOf(candidate.rank); + return loggedInUserRankIndex > candidateRankIndex; + }); if (name) { - data = data.filter((user) => user.name.toLowerCase().includes(name.toLowerCase())); + data = data.filter((candidate) => + candidate.name.toLowerCase().includes(name.toLowerCase()) + ); } if (rank) { - data = data.filter((user) => user.rank === rank); + data = data.filter((candidate) => candidate.rank === rank); } if (username) { - data = data.filter((user) => - user.username.toLowerCase().includes(username.toLowerCase()) + data = data.filter((candidate) => + candidate.username.toLowerCase().includes(username.toLowerCase()) ); }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-xvf4-ch4q-2m24ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32638ghsaADVISORY
- github.com/withstudiocms/studiocms/commit/aebe8bcb3618bb07c6753e3f5c982c1fe6adea64ghsax_refsource_MISCWEB
- github.com/withstudiocms/studiocms/releases/tag/studiocms@0.4.4ghsax_refsource_MISCWEB
- github.com/withstudiocms/studiocms/security/advisories/GHSA-xvf4-ch4q-2m24ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.