CVE-2026-32104 | THREATINT

Description

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account (id !== userData.user.id). Any authenticated visitor can modify notification preferences for any user, including disabling admin notifications to suppress detection of malicious activity. This vulnerability is fixed in 0.4.3.

PUBLISHED Reserved 2026-03-10 | Published 2026-03-11 | Updated 2026-03-12 | Assigner GitHub_M

MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Problem types

CWE-639: Authorization Bypass Through User-Controlled Key

Product status

< 0.4.3

affected

References

github.com/...diocms/security/advisories/GHSA-9v82-xrm4-mp52

cve.org (CVE-2026-32104)

nvd.nist.gov (CVE-2026-32104)

Download JSON