{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32103", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T22:02:38.854Z", "datePublished": "2026-03-11T20:06:58.276Z", "dateUpdated": "2026-03-12T19:48:56.254Z"}, "containers": {"cna": {"title": "StudioCMS: IDOR \u2014 Admin-to-Owner Account Takeover via Password Reset Link Generation", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-640", "lang": "en", "description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-h7vr-cg25-jf8c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-h7vr-cg25-jf8c"}], "affected": [{"vendor": "withstudiocms", "product": "studiocms", "versions": [{"version": "< 0.4.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T20:08:13.604Z"}, "descriptions": [{"lang": "en", "value": "StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the POST /studiocms_api/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account. The handler verifies that the caller is an admin but does not enforce role hierarchy, nor does it validate that the target userId matches the caller's identity. Combined with the POST /studiocms_api/dashboard/reset-password endpoint, this allows a complete account takeover of the highest-privileged account in the system. This vulnerability is fixed in 0.4.3."}], "source": {"advisory": "GHSA-h7vr-cg25-jf8c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T19:48:49.354364Z", "id": "CVE-2026-32103", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:48:56.254Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32103", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T19:48:49.354364Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:48:53.275Z"}}], "cna": {"title": "StudioCMS: IDOR \u2014 Admin-to-Owner Account Takeover via Password Reset Link Generation", "source": {"advisory": "GHSA-h7vr-cg25-jf8c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "withstudiocms", "product": "studiocms", "versions": [{"status": "affected", "version": "< 0.4.3"}]}], "references": [{"url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-h7vr-cg25-jf8c", "name": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-h7vr-cg25-jf8c", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the POST /studiocms_api/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account. The handler verifies that the caller is an admin but does not enforce role hierarchy, nor does it validate that the target userId matches the caller's identity. Combined with the POST /studiocms_api/dashboard/reset-password endpoint, this allows a complete account takeover of the highest-privileged account in the system. This vulnerability is fixed in 0.4.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-640", "description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T20:08:13.604Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32103", "state": "PUBLISHED", "dateUpdated": "2026-03-12T19:48:56.254Z", "dateReserved": "2026-03-10T22:02:38.854Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T20:06:58.276Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:studiocms:studiocms:*:*:*:*:*:*:*:*", "matchCriteriaId": "BD3D1012-B2EE-465F-8398-96C5B01C1399", "versionEndExcluding": "0.4.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the POST /studiocms_api/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account. The handler verifies that the caller is an admin but does not enforce role hierarchy, nor does it validate that the target userId matches the caller's identity. Combined with the POST /studiocms_api/dashboard/reset-password endpoint, this allows a complete account takeover of the highest-privileged account in the system. This vulnerability is fixed in 0.4.3."}, {"lang": "es", "value": "StudioCMS es un sistema de gesti\u00f3n de contenido sin cabeza, nativo de Astro, renderizado en el lado del servidor. Antes de la 0.4.3, el punto final POST /studiocms_api/dashboard/create-reset-link permite a cualquier usuario autenticado con privilegios de administrador generar un token de restablecimiento de contrase\u00f1a para cualquier otro usuario, incluida la cuenta del propietario. El gestor verifica que el llamador es un administrador, pero no aplica la jerarqu\u00eda de roles, ni valida que el ID de usuario objetivo coincida con la identidad del llamador. Combinado con el punto final POST /studiocms_api/dashboard/reset-password, esto permite una toma de control completa de la cuenta con los privilegios m\u00e1s altos en el sistema. Esta vulnerabilidad est\u00e1 corregida en la 0.4.3."}], "id": "CVE-2026-32103", "lastModified": "2026-03-17T15:36:29.777", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-11T21:16:16.307", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-h7vr-cg25-jf8c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}, {"lang": "en", "value": "CWE-640"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.4.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "studiocms", "source": "cna", "vendor": "withstudiocms"}, "product": "studiocms", "vendor": "withstudiocms"}], "analysis": {"en": {"generated_at": "2026-03-17T17:07:06.581820+00:00", "value": {"mitigation_remediation": ["Apply the StudioCMS 0.4.3 patch or a later version that resolves the IDOR flaw."], "summary": {"action": "Patch Immediately", "impact": "Privilege Escalation / Account Takeover"}, "threat_synthesis": {"affected_systems": "All installations of StudioCMS running versions earlier than 0.4.3 are affected, including all releases from the first public release up through 0.4.2. The vendor product is withstudiocms:studiocms.", "description_and_impact": "StudioCMS is vulnerable to an Insecure Direct Object Reference (IDOR) that allows any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account. The POST\u202f/studiocms_api/dashboard/create-reset-link endpoint verifies the caller is an admin but does not enforce a role hierarchy or confirm that the target userId matches the caller\u2019s identity. When combined with the POST\u202f/studiocms_api/dashboard/reset-password endpoint, this flaw permits an attacker to reset the owner account\u2019s password and gain full control of the system.", "risk_and_exploitability": "The CVSS score for this vulnerability is 6.8, indicating moderate severity. The EPSS score is below 1\u202f%, suggesting a low but non\u2011zero likelihood of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalogue. An attacker with compromised admin credentials, or who successfully authenticates as an admin, can exploit the IDOR by generating a reset link for the owner account and then applying the reset, resulting in full system takeover. The attack requires only authenticated admin access and no additional privileges, making it a straightforward privilege escalation vector."}}}}, "created": "2026-03-12T09:56:16.026408+00:00", "updated": "2026-03-20T15:37:21.747357+00:00", "vendors": ["withstudiocms", "withstudiocms$PRODUCT$studiocms"]}