StudioCMS: IDOR — Admin-to-Owner Account Takeover via Password Reset Link Generation

Description

The POST /studiocms_api/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account.

Recommendation

Update the studiocms package to the latest compatible version. Followings are version details:

• Affected version(s): <= 0.4.2
• Patched version(s): 0.4.3

References

• GHSA-h7vr-cg25-jf8c
• CVE-2026-32103
• CWE-639
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery - payload - CVE-2026-34751
• Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery - CVE-2026-34751
• StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens - CVE-2026-32638
• SillyTavern: Existing sessions are not invalidated after password change, allowing session reuse and account takeover - CVE-2026-44648

You might also like:

How do hackers hack websites?

Should I Hide My Admin Login Page? Yes, You Should!

Update Cheat Sheet for Developers

Tags:

npm

studiocms