Description
The REST API getUsers endpoint in StudioCMS uses the attacker-controlled rank query parameter to decide whether owner accounts should be filtered from the result set.
Recommendation
Update the studiocms package to the latest compatible version. Followings are version details:
- Affected version(s): <= 0.4.3
- Patched version(s): 0.4.4
References
Related Issues
- StudioCMS: IDOR — Admin-to-Owner Account Takeover via Password Reset Link Generation - CVE-2026-32103
- StudioCMS: REST API Missing Rank Check Allows Admin to Create Peer Admin Accounts - CVE-2026-32106
- StudioCMS S3 Storage Manager Authorization Bypass via Missing `await` on Async Auth Check - CVE-2026-32101
- Parse Server OAuth2 authentication adapter account takeover via identity spoofing - CVE-2026-30967
- Tags:
- npm
- studiocms
Anything's wrong? Let us know Last updated on March 18, 2026