{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32101", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T22:02:38.854Z", "datePublished": "2026-03-11T20:03:05.319Z", "dateUpdated": "2026-03-12T19:51:19.210Z"}, "containers": {"cna": {"title": "StudioCMS S3 Storage Manager Authorization Bypass via Missing `await` on Async Auth Check", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-mm78-fgq8-6pgr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-mm78-fgq8-6pgr"}], "affected": [{"vendor": "@studiocms", "product": "s3-storage", "versions": [{"version": "< 0.3.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T20:03:05.319Z"}, "descriptions": [{"lang": "en", "value": "StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.3.1, the S3 storage manager's isAuthorized() function is declared async (returns Promise<boolean>) but is called without await in both the POST and PUT handlers. Since a Promise object is always truthy in JavaScript, !isAuthorized(type) always evaluates to false, completely bypassing the authorization check. Any authenticated user with the lowest visitor role can upload, delete, rename, and list all files in the S3 bucket. This vulnerability is fixed in 0.3.1."}], "source": {"advisory": "GHSA-mm78-fgq8-6pgr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T19:51:12.831005Z", "id": "CVE-2026-32101", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:51:19.210Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32101", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T19:51:12.831005Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:51:16.394Z"}}], "cna": {"title": "StudioCMS S3 Storage Manager Authorization Bypass via Missing `await` on Async Auth Check", "source": {"advisory": "GHSA-mm78-fgq8-6pgr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "@studiocms", "product": "s3-storage", "versions": [{"status": "affected", "version": "< 0.3.1"}]}], "references": [{"url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-mm78-fgq8-6pgr", "name": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-mm78-fgq8-6pgr", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.3.1, the S3 storage manager's isAuthorized() function is declared async (returns Promise<boolean>) but is called without await in both the POST and PUT handlers. Since a Promise object is always truthy in JavaScript, !isAuthorized(type) always evaluates to false, completely bypassing the authorization check. Any authenticated user with the lowest visitor role can upload, delete, rename, and list all files in the S3 bucket. This vulnerability is fixed in 0.3.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T20:03:05.319Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32101", "state": "PUBLISHED", "dateUpdated": "2026-03-12T19:51:19.210Z", "dateReserved": "2026-03-10T22:02:38.854Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T20:03:05.319Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:studiocms:studiocms:*:*:*:*:*:*:*:*", "matchCriteriaId": "71B8597F-CE95-4810-B95F-E67627E84144", "versionEndExcluding": "0.3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.3.1, the S3 storage manager's isAuthorized() function is declared async (returns Promise<boolean>) but is called without await in both the POST and PUT handlers. Since a Promise object is always truthy in JavaScript, !isAuthorized(type) always evaluates to false, completely bypassing the authorization check. Any authenticated user with the lowest visitor role can upload, delete, rename, and list all files in the S3 bucket. This vulnerability is fixed in 0.3.1."}, {"lang": "es", "value": "StudioCMS es un sistema de gesti\u00f3n de contenido sin cabeza, nativo de Astro, renderizado en el lado del servidor. Antes de la versi\u00f3n 0.3.1, la funci\u00f3n isAuthorized() del gestor de almacenamiento de S3 est\u00e1 declarada como as\u00edncrona (devuelve Promise) pero es llamada sin await tanto en los manejadores POST como PUT. Dado que un objeto Promise siempre es verdadero en JavaScript, !isAuthorized(type) siempre se eval\u00faa como falso, omitiendo completamente la verificaci\u00f3n de autorizaci\u00f3n. Cualquier usuario autenticado con el rol de visitante m\u00e1s bajo puede cargar, eliminar, renombrar y listar todos los archivos en el bucket de S3. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 0.3.1."}], "id": "CVE-2026-32101", "lastModified": "2026-03-17T15:24:39.413", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-11T21:16:16.010", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-mm78-fgq8-6pgr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.3.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "s3-storage", "source": "cna", "vendor": "@studiocms"}, "product": "s3-storage", "vendor": "studiocms"}], "analysis": {"en": {"generated_at": "2026-03-17T17:32:58.823136+00:00", "value": {"mitigation_remediation": ["Upgrade StudioCMS to the fixed release\u202f0.3.1 or later.", "If an immediate upgrade is not possible, restrict visitor\u2011role permissions so they cannot perform file operations through the S3 storage manager.", "Review and test custom code to ensure that any asynchronous authorization checks are properly awaited before making access decisions."], "summary": {"action": "Immediate Patch", "impact": "Authorization Bypass"}, "threat_synthesis": {"affected_systems": "Any deployment of StudioCMS using the @studiocms:s3-storage component and running a version earlier than 0.3.1 is vulnerable. Versions up to, but not including, 0.3.1 share the same faulty implementation of isAuthorized().", "description_and_impact": "StudioCMS\u2019s S3 storage manager mistakenly treats an async authorization check as synchronous because the call to isAuthorized() is not awaited in both POST and PUT request handlers. Since a Promise object in JavaScript is always truthy, the negated check '!isAuthorized(type)' always evaluates to false, completely bypassing the intended permission guard. This flaw allows any authenticated user with the lowest visitor role to upload, delete, rename, and list all files in the configured S3 bucket, resulting in a loss of integrity and control over stored assets.", "risk_and_exploitability": "The vulnerability has a CVSS score of 7.6, indicating high severity. Its EPSS score is below 1\u202f%, suggesting current exploitation attempts are rare. The flaw is not listed in the CISA KEV catalog. An attacker requires authentication to the CMS and must use the web application's POST or PUT endpoints to trigger the bypass. Based on the description, the likely attack vector is remote, web\u2011based actions performed by any authenticated visitor\u2011role user. The missing await makes exploitation trivial for authorized users."}}}}, "created": "2026-03-12T09:56:17.917741+00:00", "updated": "2026-03-20T15:37:23.578572+00:00", "vendors": ["studiocms", "studiocms$PRODUCT$s3-storage"]}