CVE-2026-24134 – StudioCMS versions before 0.2.0 contain a Broke... (How to Fix)

📋 TL;DR

StudioCMS versions before 0.2.0 contain a Broken Object Level Authorization vulnerability that allows users with the 'Visitor' role to access draft content created by Editor, Admin, or Owner users. This affects all StudioCMS deployments using vulnerable versions where multiple user roles exist.

💻 Affected Systems

Products:

StudioCMS

Versions: All versions prior to 0.2.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires multiple user roles with different permission levels (Visitor vs Editor/Admin/Owner)

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized disclosure of sensitive draft content including confidential business information, unpublished announcements, or embargoed materials to all site visitors.

🟠

Likely Case

Visitors accidentally discovering draft content not intended for public viewing, potentially causing information leaks or reputational damage.

🟢

If Mitigated

Limited impact if draft content contains only non-sensitive placeholder text or if visitor access is already restricted.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated Visitor role access; trivial to exploit once authenticated

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.2.0

Vendor Advisory: https://github.com/withstudiocms/studiocms/security/advisories/GHSA-8cw6-53m5-4932

Restart Required: Yes

Instructions:

1. Update StudioCMS to version 0.2.0 or later
2. Restart the StudioCMS service
3. Verify authorization checks are properly implemented

🔧 Temporary Workarounds

Disable Visitor Role Access

all

Temporarily remove or disable Visitor role accounts until patching

Content Access Restriction

all

Implement additional middleware or proxy rules to restrict draft content access

🧯 If You Can't Patch

Implement strict network segmentation to isolate StudioCMS from untrusted networks
Deploy a web application firewall (WAF) with authorization bypass detection rules

🔍 How to Verify

Check if Vulnerable:

Check StudioCMS version; if below 0.2.0, test if Visitor role can access draft content endpoints

Check Version:

Check package.json or deployment configuration for StudioCMS version

Verify Fix Applied:

After updating to 0.2.0+, verify Visitor role cannot access draft content via API/content endpoints

📡 Detection & Monitoring

Log Indicators:

Visitor role users accessing draft content endpoints
Unauthorized access attempts to /api/content/draft/* endpoints

Network Indicators:

HTTP 200 responses to draft content requests from Visitor role accounts

SIEM Query:

source="studiocms" AND (uri_path="/api/content/draft/*" OR uri_path="/draft/*") AND user_role="Visitor" AND response_code=200

📊 Metadata

CVE ID: CVE-2026-24134

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-639

EPSS Score: 0.03% exploit probability (8.1th percentile)

Published: January 28, 2026

Last Updated: January 29, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24134, you might also want to check these: