StudioCMS: REST API Missing Rank Check Allows Admin to Create Peer Admin Accounts
- Severity:
- Medium
Description
The REST API createUser endpoint uses string-based rank checks that only block creating owner accounts, while the Dashboard API uses indexOf-based rank comparison that prevents creating users at or above your own rank.
Recommendation
Update the studiocms package to the latest compatible version. Followings are version details:
- Affected version(s): <= 0.4.2
- Patched version(s): 0.4.3
References
Related Issues
- StudioCMS S3 Storage Manager Authorization Bypass via Missing `await` on Async Auth Check - CVE-2026-32101
- StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens - CVE-2026-32638
- StudioCMS: IDOR — Admin-to-Owner Account Takeover via Password Reset Link Generation - CVE-2026-32103
- StudioCMS: IDOR in User Notification Preferences Allows Any Authenticated User to Modify Any User's Settings - CVE-2026-32104
- Tags:
- npm
- studiocms
Anything's wrong? Let us know Last updated on March 12, 2026