{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32104", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T22:02:38.854Z", "datePublished": "2026-03-11T20:09:44.879Z", "dateUpdated": "2026-03-12T19:48:05.180Z"}, "containers": {"cna": {"title": "StudioCMS: IDOR in User Notification Preferences Allows Any Authenticated User to Modify Any User's Settings", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-9v82-xrm4-mp52", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-9v82-xrm4-mp52"}], "affected": [{"vendor": "withstudiocms", "product": "studiocms", "versions": [{"version": "< 0.4.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T20:09:44.879Z"}, "descriptions": [{"lang": "en", "value": "StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account (id !== userData.user.id). Any authenticated visitor can modify notification preferences for any user, including disabling admin notifications to suppress detection of malicious activity. This vulnerability is fixed in 0.4.3."}], "source": {"advisory": "GHSA-9v82-xrm4-mp52", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T19:47:56.872818Z", "id": "CVE-2026-32104", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:48:05.180Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32104", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T19:47:56.872818Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:48:00.284Z"}}], "cna": {"title": "StudioCMS: IDOR in User Notification Preferences Allows Any Authenticated User to Modify Any User's Settings", "source": {"advisory": "GHSA-9v82-xrm4-mp52", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "withstudiocms", "product": "studiocms", "versions": [{"status": "affected", "version": "< 0.4.3"}]}], "references": [{"url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-9v82-xrm4-mp52", "name": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-9v82-xrm4-mp52", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account (id !== userData.user.id). Any authenticated visitor can modify notification preferences for any user, including disabling admin notifications to suppress detection of malicious activity. This vulnerability is fixed in 0.4.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T20:09:44.879Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32104", "state": "PUBLISHED", "dateUpdated": "2026-03-12T19:48:05.180Z", "dateReserved": "2026-03-10T22:02:38.854Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T20:09:44.879Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:studiocms:studiocms:*:*:*:*:*:*:*:*", "matchCriteriaId": "BD3D1012-B2EE-465F-8398-96C5B01C1399", "versionEndExcluding": "0.4.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account (id !== userData.user.id). Any authenticated visitor can modify notification preferences for any user, including disabling admin notifications to suppress detection of malicious activity. This vulnerability is fixed in 0.4.3."}, {"lang": "es", "value": "StudioCMS es un sistema de gesti\u00f3n de contenido sin cabeza, nativo de Astro y renderizado en el lado del servidor. Antes de la versi\u00f3n 0.4.3, el endpoint updateUserNotifications acepta un ID de usuario del payload de la solicitud y lo utiliza para actualizar las preferencias de notificaci\u00f3n de ese usuario. Verifica que el llamador ha iniciado sesi\u00f3n, pero nunca verifica que el llamador es propietario de la cuenta objetivo (id !== userData.user.id). Cualquier visitante autenticado puede modificar las preferencias de notificaci\u00f3n para cualquier usuario, incluyendo la desactivaci\u00f3n de las notificaciones de administrador para suprimir la detecci\u00f3n de actividad maliciosa. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 0.4.3."}], "id": "CVE-2026-32104", "lastModified": "2026-03-17T15:35:38.860", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-11T21:16:16.457", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-9v82-xrm4-mp52"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.4.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "studiocms", "source": "cna", "vendor": "withstudiocms"}, "product": "studiocms", "vendor": "withstudiocms"}], "analysis": {"en": {"generated_at": "2026-03-17T17:06:32.794264+00:00", "value": {"mitigation_remediation": ["Upgrade StudioCMS to version 0.4.3 or later."], "summary": {"action": "Upgrade", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The issue affects the StudioCMS product from withstudiocms, specifically any release prior to 0.4.3. Users running versions earlier than 0.4.3 are vulnerable.", "description_and_impact": "The vulnerability is an Insecure Direct Object Reference (IDOR) in the updateUserNotifications endpoint of StudioCMS. Any authenticated visitor can supply a target user ID in the request payload and modify that user\u2019s notification preferences, even if the target user is different from the requestor. This allows an attacker to disable or alter notifications for any account, including administrators, thereby suppressing alerts and possibly hiding malicious activity. The weakness is identified as CWE\u2011639.", "risk_and_exploitability": "The CVSS score of 5.4 classifies the flaw as moderate. However, its EPSS score of less than 1% suggests that, historically, this type of IDOR has rarely been exploited in the wild. The vulnerability is not designated as a Known Exploited Vulnerability by CISA. Attack vector is internal/knowledge of an authenticated session; an attacker needs only a valid user session to manipulate another user's settings. Because the flaw allows modification of notification preferences\u2014including disabling admin alerts\u2014it can compromise detection of malicious activity but does not directly grant code execution or broad system compromise."}}}}, "created": "2026-03-12T09:56:14.217141+00:00", "updated": "2026-03-20T15:37:19.950689+00:00", "vendors": ["withstudiocms", "withstudiocms$PRODUCT$studiocms"]}