CVE-2026-24134
MEDIUM6.5EPSS 0.05%StudioCMS has Authorization Bypass Through User-Controlled Key
Description
### Summary StudioCMS contains a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the "Visitor" role to access draft content created by Editor/Admin/Owner users. ### Details **The Issue:** The endpoint `/dashboard/content-management/edit?edit={UUID}` validates user authentication but does NOT validate: 1. User role (should require Editor/Admin/Owner) 2. Content ownership (should verify the draft belongs to the user) This allows users with "Visitor" role (lowest privilege) to access draft content created by Editor/Admin/Owner users by directly accessing the edit URL with the content UUID. ### PoC - **User A:** Editor role (example username: `dummy04`) - **User B:** Visitor role (example username: `dummy01`) **Reproduction Steps:** **Step 1 - Create draft as Editor:** 1. Login as User A (Editor role) 2. Navigate to: `http://localhost:4321/dashboard/content-management` 3. Create new content (it will stay as draft) 4. After saving, note the UUID in the URL: ```` http://localhost:4321/dashboard/content-management/edit?edit=bad87630-69a4-4cd6-bcb2-6965839dc148 ```` Copy this UUID: `bad87630-69a4-4cd6-bcb2-6965839dc148` **Step 2 - Access draft as Visitor:** 1. Login as Visitor and get auth_session cookie ``` curl -X POST "http://127.0.0.1:4321/studiocms_api/auth/login" -F 'username=dummy01' -F 'password=dummy01pass$' ``` <img width="1128" height="376" alt="01" src="https://github.com/user-attachments/assets/86c5290e-e7a2-470e-bbf5-5f5247eddec1" /> 2. Proof of Visitor permission <img width="1899" height="450" alt="02" src="https://github.com/user-attachments/assets/aabd47d3-163f-4a56-8296-08bd40c5ccdc" /> 3. Access Editor's draft using the UUID ``` curl "http://127.0.0.1:4321/dashboard/content-management/edit?edit=bad87630-69a4-4cd6-bcb2-6965839dc148" -H "Cookie: auth_session=qvawh6zv23hc2spu6xx7pzgrnn4rpd3q" -v ``` **Result:** Returns full HTML page with draft content (200 OK) ### Impact **Impact Scenarios:** 1. **Information Disclosure:** - Visitor users can read unpublished drafts containing sensitive information - Drafts may contain confidential business information, unreleased announcements, or proprietary content - Competitive intelligence could be gathered from draft content 2. **Privacy Violation:** - Personal notes, work-in-progress content, or internal communications in drafts exposed - Violation of content creator privacy expectations 3. **Business Impact:** - Premature disclosure of marketing campaigns, product launches, or announcements - Loss of competitive advantage if draft strategies are exposed - Potential compliance issues if drafts contain regulated information 4. **Complete RBAC Bypass:** - The entire role-based access control system for draft content is bypassed - "Visitor" role becomes equivalent to "Editor" for read access to drafts - Undermines the trust model of multi-user content management
Affected packages (1)
- npm/studiocmsfrom 0, < 0.2.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-24134
- PATCHhttps://github.com/withstudiocms/studiocms
- WEBhttps://github.com/withstudiocms/studiocms/commit/efc10bee20db090fdd75463622c30dda390c50ad
- WEBhttps://github.com/withstudiocms/studiocms/releases/tag/studiocms%400.2.0
- WEBhttps://github.com/withstudiocms/studiocms/security/advisories/GHSA-8cw6-53m5-4932