StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens
Description
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API getUsers endpoint in StudioCMS uses the attacker-controlled rank query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token can request rank=owner and receive owner account records, including IDs, usernames, display names, and email addresses, even though the adjacent getUser endpoint correctly blocks admins from viewing owner users. This is an authorization inconsistency inside the same user-management surface. Version 0.4.4 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
studiocmsnpm | < 0.4.4 | 0.4.4 |
Affected products
2- Range: < 0.4.4
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-xvf4-ch4q-2m24ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32638ghsaADVISORY
- github.com/withstudiocms/studiocms/commit/aebe8bcb3618bb07c6753e3f5c982c1fe6adea64ghsax_refsource_MISCWEB
- github.com/withstudiocms/studiocms/releases/tag/studiocms@0.4.4ghsax_refsource_MISCWEB
- github.com/withstudiocms/studiocms/security/advisories/GHSA-xvf4-ch4q-2m24ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.