Description
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.3.1, the S3 storage manager's isAuthorized() function is declared async (returns Promise<boolean>) but is called without await in both the POST and PUT handlers. Since a Promise object is always truthy in JavaScript, !isAuthorized(type) always evaluates to false, completely bypassing the authorization check. Any authenticated user with the lowest visitor role can upload, delete, rename, and list all files in the S3 bucket. This vulnerability is fixed in 0.3.1.
Published: 2026-03-11
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass
Action: Immediate Patch
AI Analysis

Impact

StudioCMS’s S3 storage manager mistakenly treats an async authorization check as synchronous because the call to isAuthorized() is not awaited in both POST and PUT request handlers. Since a Promise object in JavaScript is always truthy, the negated check '!isAuthorized(type)' always evaluates to false, completely bypassing the intended permission guard. This flaw allows any authenticated user with the lowest visitor role to upload, delete, rename, and list all files in the configured S3 bucket, resulting in a loss of integrity and control over stored assets.

Affected Systems

Any deployment of StudioCMS using the @studiocms:s3-storage component and running a version earlier than 0.3.1 is vulnerable. Versions up to, but not including, 0.3.1 share the same faulty implementation of isAuthorized().

Risk and Exploitability

The vulnerability has a CVSS score of 7.6, indicating high severity. Its EPSS score is below 1 %, suggesting current exploitation attempts are rare. The flaw is not listed in the CISA KEV catalog. An attacker requires authentication to the CMS and must use the web application's POST or PUT endpoints to trigger the bypass. Based on the description, the likely attack vector is remote, web‑based actions performed by any authenticated visitor‑role user. The missing await makes exploitation trivial for authorized users.

Generated by OpenCVE AI on March 17, 2026 at 17:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade StudioCMS to the fixed release 0.3.1 or later.
  • If an immediate upgrade is not possible, restrict visitor‑role permissions so they cannot perform file operations through the S3 storage manager.
  • Review and test custom code to ensure that any asynchronous authorization checks are properly awaited before making access decisions.

Generated by OpenCVE AI on March 17, 2026 at 17:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mm78-fgq8-6pgr StudioCMS S3 Storage Manager Authorization Bypass via Missing `await` on Async Auth Check
History

Tue, 17 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Studiocms studiocms
CPEs cpe:2.3:a:studiocms:studiocms:*:*:*:*:*:*:*:*
Vendors & Products Studiocms studiocms

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Studiocms
Studiocms s3-storage
Vendors & Products Studiocms
Studiocms s3-storage

Wed, 11 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.3.1, the S3 storage manager's isAuthorized() function is declared async (returns Promise<boolean>) but is called without await in both the POST and PUT handlers. Since a Promise object is always truthy in JavaScript, !isAuthorized(type) always evaluates to false, completely bypassing the authorization check. Any authenticated user with the lowest visitor role can upload, delete, rename, and list all files in the S3 bucket. This vulnerability is fixed in 0.3.1.
Title StudioCMS S3 Storage Manager Authorization Bypass via Missing `await` on Async Auth Check
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L'}

Subscriptions

Studiocms S3-storage Studiocms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T19:51:19.210Z

Reserved: 2026-03-10T22:02:38.854Z

Link: CVE-2026-32101

cve-icon Vulnrichment

Updated: 2026-03-12T19:51:16.394Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T21:16:16.010

Modified: 2026-03-17T15:24:39.413

Link: CVE-2026-32101

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:37:23Z

Weaknesses