Description
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API `getUsers` endpoint in StudioCMS uses the attacker-controlled `rank` query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token can request `rank=owner` and receive owner account records, including IDs, usernames, display names, and email addresses, even though the adjacent `getUser` endpoint correctly blocks admins from viewing owner users. This is an authorization inconsistency inside the same user-management surface. Version 0.4.4 fixes the issue.
Published: 2026-03-18
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch Upgrade
AI Analysis

Impact

StudioCMS REST API getUsers endpoint allowed an authenticated admin to retrieve owner account information, including IDs, usernames, display names, and email addresses, by setting the rank query parameter to owner. This exposure of sensitive user data constitutes an authorization inconsistency and leads to an information disclosure vulnerability. The weakness is identified as CWE-639, indicating untrusted input can be used to discover account information.

Affected Systems

The affected package is withstudiocms:studiocms. All installations running a version older than 0.4.4 are vulnerable. Version 0.4.4 and later remove the flaw by correctly filtering owner records for admin tokens.

Risk and Exploitability

The CVSS score of 2.7 indicates low to moderate severity, and the EPSS score of less than 1% signals a very low probability of exploitation in the wild. The vulnerability is not listed in CISA's KEV catalog. Exploitation requires possession of a valid admin token, which is likely already granted to authorized administrators. An attacker could simply send a GET request to the getUsers endpoint with rank=owner to harvest owner account data.

Generated by OpenCVE AI on March 19, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply StudioCMS version 0.4.4 or newer to fix the authorization inconsistency.
  • Ensure that admin tokens are tightly controlled and monitored for anomalous activity.
  • Review and adjust admin role permissions to limit exposure of sensitive account data if an upgrade is not immediately possible.
  • Check logs for unexpected getUsers requests with rank=owner.

Generated by OpenCVE AI on March 19, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xvf4-ch4q-2m24 StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens
History

Thu, 19 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Studiocms
Studiocms studiocms
CPEs cpe:2.3:a:studiocms:studiocms:*:*:*:*:*:*:*:*
Vendors & Products Studiocms
Studiocms studiocms

Thu, 19 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Withstudiocms
Withstudiocms studiocms
Vendors & Products Withstudiocms
Withstudiocms studiocms

Wed, 18 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API `getUsers` endpoint in StudioCMS uses the attacker-controlled `rank` query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token can request `rank=owner` and receive owner account records, including IDs, usernames, display names, and email addresses, even though the adjacent `getUser` endpoint correctly blocks admins from viewing owner users. This is an authorization inconsistency inside the same user-management surface. Version 0.4.4 fixes the issue.
Title StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Studiocms Studiocms
Withstudiocms Studiocms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-19T15:01:00.396Z

Reserved: 2026-03-12T15:29:36.560Z

Link: CVE-2026-32638

cve-icon Vulnrichment

Updated: 2026-03-19T15:00:55.453Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T21:16:26.770

Modified: 2026-03-19T18:40:31.577

Link: CVE-2026-32638

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:52:13Z

Weaknesses