CVE-2026-32104 - Vulnerability Details

- StudioCMS: IDOR in User Notification Preferences Allows Any Authenticated User to Modify Any User's Settings

Description

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account (id !== userData.user.id). Any authenticated visitor can modify notification preferences for any user, including disabling admin notifications to suppress detection of malicious activity. This vulnerability is fixed in 0.4.3.

Published: 2026-03-11

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an Insecure Direct Object Reference (IDOR) in the updateUserNotifications endpoint of StudioCMS. Any authenticated visitor can supply a target user ID in the request payload and modify that user’s notification preferences, even if the target user is different from the requestor. This allows an attacker to disable or alter notifications for any account, including administrators, thereby suppressing alerts and possibly hiding malicious activity. The weakness is identified as CWE‑639.

Affected Systems

The issue affects the StudioCMS product from withstudiocms, specifically any release prior to 0.4.3. Users running versions earlier than 0.4.3 are vulnerable.

Risk and Exploitability

The CVSS score of 5.4 classifies the flaw as moderate. However, its EPSS score of less than 1% suggests that, historically, this type of IDOR has rarely been exploited in the wild. The vulnerability is not designated as a Known Exploited Vulnerability by CISA. Attack vector is internal/knowledge of an authenticated session; an attacker needs only a valid user session to manipulate another user's settings. Because the flaw allows modification of notification preferences—including disabling admin alerts—it can compromise detection of malicious activity but does not directly grant code execution or broad system compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

withstudiocms

studiocms

affected

Version	Status	Constraints
`< 0.4.3`	affected	—

Configuration 1 [-]

cpe:2.3:a:studiocms:studiocms:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Withstudiocms

Studiocms

100%

Version	Status	Scheme	Platform
`[0,0.4.3)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade StudioCMS to version 0.4.3 or later.

Generated by OpenCVE AI on March 17, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-9v82-xrm4-mp52	StudioCMS: IDOR in User Notification Preferences Allows Any Authenticated User to Modify Any User's Settings

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/withstudiocms/studiocms/security/advisories/GHSA-9v82-xrm4-mp52

History

Tue, 17 Mar 2026 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Studiocms Studiocms studiocms
CPEs		cpe:2.3:a:studiocms:studiocms::::::::
Vendors & Products		Studiocms Studiocms studiocms

Thu, 12 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 12 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Withstudiocms Withstudiocms studiocms
Vendors & Products		Withstudiocms Withstudiocms studiocms

Wed, 11 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account (id !== userData.user.id). Any authenticated visitor can modify notification preferences for any user, including disabling admin notifications to suppress detection of malicious activity. This vulnerability is fixed in 0.4.3.
Title		StudioCMS: IDOR in User Notification Preferences Allows Any Authenticated User to Modify Any User's Settings
Weaknesses		CWE-639
References		https://github.com/withstudiocms/studiocms/security/advisories/GHSA-9v82-xrm4-mp52
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}`

Subscriptions

Studiocms Studiocms

Withstudiocms Studiocms

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-11T20:09:44.879Z

Updated: 2026-03-12T19:48:05.180Z

Reserved: 2026-03-10T22:02:38.854Z

Link: CVE-2026-32104

Vulnrichment

Updated: 2026-03-12T19:48:00.284Z

NVD

Status : Analyzed

Published: 2026-03-11T21:16:16.457

Modified: 2026-03-17T15:35:38.860

Link: CVE-2026-32104

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-20T15:37:19Z

Weaknesses

CWE-639

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object