CVE-2026-32101 | THREATINT

Description

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.3.1, the S3 storage manager's isAuthorized() function is declared async (returns Promise<boolean>) but is called without await in both the POST and PUT handlers. Since a Promise object is always truthy in JavaScript, !isAuthorized(type) always evaluates to false, completely bypassing the authorization check. Any authenticated user with the lowest visitor role can upload, delete, rename, and list all files in the S3 bucket. This vulnerability is fixed in 0.3.1.

PUBLISHED Reserved 2026-03-10 | Published 2026-03-11 | Updated 2026-03-12 | Assigner GitHub_M

HIGH: 7.6CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Problem types

CWE-863: Incorrect Authorization

Product status

< 0.3.1

affected

References

github.com/...diocms/security/advisories/GHSA-mm78-fgq8-6pgr

cve.org (CVE-2026-32101)

nvd.nist.gov (CVE-2026-32101)

Download JSON