StudioCMS: IDOR — Admin-to-Owner Account Takeover via Password Reset Link Generation
- Severity:
- Medium
Description
The POST /studiocms_api/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account.
Recommendation
Update the studiocms package to the latest compatible version. Followings are version details:
- Affected version(s): <= 0.4.2
- Patched version(s): 0.4.3
References
Related Issues
- StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens - CVE-2026-32638
- Parse Server: Account takeover via operator injection in authentication data identifier - CVE-2026-32248
- Parse Server OAuth2 authentication adapter account takeover via identity spoofing - CVE-2026-30967
- Parse Server has a password reset token single-use bypass via concurrent requests - CVE-2026-32943
- Tags:
- npm
- studiocms
Anything's wrong? Let us know Last updated on March 12, 2026