StudioCMS: IDOR in User Notification Preferences Allows Any Authenticated User to Modify Any User's Settings
- Severity:
- Medium
Description
The updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user’s notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account (id !== userData.user.id).
Recommendation
Update the studiocms package to the latest compatible version. Followings are version details:
- Affected version(s): <= 0.4.2
- Patched version(s): 0.4.3
References
Related Issues
- Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion - CVE-2026-23522
- parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user - CVE-2026-30229
- StudioCMS has Authorization Bypass Through User-Controlled Key - CVE-2026-24134
- StudioCMS: REST API Missing Rank Check Allows Admin to Create Peer Admin Accounts - CVE-2026-32106
- Tags:
- npm
- studiocms
Anything's wrong? Let us know Last updated on March 12, 2026