StudioCMS, a server‑side‑rendered, Astro‑native headless CMS, contains a flaw in the REST API createUser endpoint where a string‑based rank check only blocks the creation of owner accounts. The Dashboard API, by contrast, uses an indexOf‑based comparison that correctly prevents users from creating accounts at or above their own rank. This inconsistency allows an authenticated admin to create additional admin accounts through the REST API, thereby increasing the number and persistence of privileged accounts. The vulnerability is classified as CWE‑269 (Elevation of Privilege). The impact is confined to privilege escalation and does not explicitly state that additional functions such as content exfiltration are possible.

All installations of StudioCMS with a version older than 0.4.3 are affected. The affected product is identified by the CPE string cpe:2.3:a:studiocms:studiocms:*:*:*:*:*:*:*:* and is distributed by the vendor withstudiocms.

The CVSS base score is 4.7, indicating moderate severity. The EPSS score is less than 1%, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an existing admin account with access to the REST API; the attacker must send a createUser request containing an admin rank. The likely attack vector, based on the description, is a network‑based API request from an environment that already has administrative privileges or has compromised an admin user. This attack enables privilege proliferation but does not grant any further exploits beyond elevating administrative privileges.