StudioCMS S3 Storage Manager Authorization Bypass via Missing `await` on Async Auth Check
- Severity:
- High
Description
The S3 storage manager’s isAuthorized() function is declared async (returns Promise<boolean>) but is called without await in both the POST and PUT handlers. Since a Promise object is always truthy in JavaScript, !isAuthorized(type) always evaluates to false, completely bypassing the authorization check.
Recommendation
Update the @studiocms/s3-storage package to the latest compatible version. Followings are version details:
- Affected version(s): <= 0.3.0
- Patched version(s): 0.3.1
References
Related Issues
- Parse Server has an auth provider validation bypass on login via partial authData - CVE-2026-33409
- StudioCMS has Authorization Bypass Through User-Controlled Key - CVE-2026-24134
- @hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware - CVE-2026-29087
- StudioCMS: REST API Missing Rank Check Allows Admin to Create Peer Admin Accounts - CVE-2026-32106
- Tags:
- npm
- @studiocms/s3-storage
Anything's wrong? Let us know Last updated on March 12, 2026