CVE-2026-32104

Exploit

EPSS 0.25%
Veröffentlicht 11.03.2026 20:09:44
Zuletzt bearbeitet 17.03.2026 15:35:38
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

StudioCMS: IDOR in User Notification Preferences Allows Any Authenticated User to Modify Any User's Settings

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account (id !== userData.user.id). Any authenticated visitor can modify notification preferences for any user, including disabling admin notifications to suppress detection of malicious activity. This vulnerability is fixed in 0.4.3.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Studiocms ≫ Studiocms Version < 0.4.3

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.25%	0.163

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://github.com/withstudiocms/studiocms/security/advisories/GHSA-9v82-xrm4-mp52

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-32104

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-32104

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-32104

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-32104