CVE-2026-32106
📋 TL;DR
StudioCMS versions before 0.4.3 have inconsistent authorization checks between REST API and Dashboard API user creation endpoints. This allows authenticated admin users to create additional admin accounts via the REST API, enabling privilege escalation and persistence. Only StudioCMS instances with admin users are affected.
💻 Affected Systems
- StudioCMS
📦 What is this software?
Studiocms by Studiocms
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin access creates multiple admin accounts, establishes persistence, and potentially takes full control of the CMS instance and underlying server.
Likely Case
A compromised or malicious admin creates additional admin accounts to maintain access even if their original account is removed or monitored.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized admin account creation which can be detected and remediated.
🎯 Exploit Status
Exploitation requires admin credentials. The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.4.3
Vendor Advisory: https://github.com/withstudiocms/studiocms/security/advisories/GHSA-wj56-g96r-673q
Restart Required: Yes
Instructions:
1. Backup your StudioCMS instance and database. 2. Update StudioCMS to version 0.4.3 or later. 3. Restart the StudioCMS service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable REST API user creation
allTemporarily disable or restrict access to the REST API createUser endpoint until patching is possible.
Configure web server (nginx/apache) to block POST requests to /api/users endpoint
Implement middleware to reject createUser requests
Implement API gateway restrictions
allUse API gateway or reverse proxy to restrict admin API access to trusted IP addresses only.
nginx: location /api { allow 192.168.1.0/24; deny all; }
apache: Require ip 192.168.1.0/24
🧯 If You Can't Patch
- Implement strict access controls and monitoring for admin accounts
- Regularly audit user accounts and remove unauthorized admin accounts
🔍 How to Verify
Check if Vulnerable:
Check StudioCMS version. If version is less than 0.4.3, the system is vulnerable if admin accounts exist.Check Version:
Check package.json for version or run: npm list @withstudiocms/studiocmsVerify Fix Applied:
After updating to 0.4.3+, attempt to create an admin account via REST API with admin credentials - this should fail with proper authorization error.📡 Detection & Monitoring
Log Indicators:
- Multiple admin account creations via REST API
- User creation requests from admin accounts to /api/users endpoint
- Failed authorization attempts for user creation
Network Indicators:
- POST requests to /api/users endpoint from admin accounts
- Unusual spike in user creation activity
SIEM Query:
source="studiocms" AND (path="/api/users" AND method="POST") | stats count by user