StudioCMS v0.1.x and earlier expose a broken object level authorization flaw in the content‑management subsystem. The flaw allows users with the minimally privileged "Visitor" role to read draft articles created by Editors, Admins, or Owners. There is no code‑execution or privilege‑escalation component; the issue results in a confidentiality breach, leaking unpublished editorial material to unauthenticated or low‑privileged users. The weakness is classified as BOLA (CWE‑639) and a form of authorization bypass (CWE‑862).

Any deployment of StudioCMS from vendor withstudiocms, prior to version 0.2.0, is affected. The exposed endpoints appear in the server‑side rendered, Astro‑native headless CMS platform. Updated releases (0.2.0 and later) address the flaw.

The CVSS score of 6.5 indicates moderate impact and medium exploitation difficulty. With an EPSS score of less than 1 per cent, this vulnerability is currently considered low probability of real‑world exploitation, and it is not listed in the CISA KEV catalog. The likely attack vector is a remote HTTP request made by a Visitor‑role user or an automated scanner that can crawl the site and attempt to access draft content via exposed endpoints. An attacker who succeeds will gain read access to any unpublished content, potentially compromising competitive advantage or confidential information.