{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32638", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-12T15:29:36.560Z", "datePublished": "2026-03-18T20:41:14.034Z", "dateUpdated": "2026-03-19T15:01:00.396Z"}, "containers": {"cna": {"title": "StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-xvf4-ch4q-2m24", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-xvf4-ch4q-2m24"}, {"name": "https://github.com/withstudiocms/studiocms/commit/aebe8bcb3618bb07c6753e3f5c982c1fe6adea64", "tags": ["x_refsource_MISC"], "url": "https://github.com/withstudiocms/studiocms/commit/aebe8bcb3618bb07c6753e3f5c982c1fe6adea64"}, {"name": "https://github.com/withstudiocms/studiocms/releases/tag/studiocms@0.4.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/withstudiocms/studiocms/releases/tag/studiocms@0.4.4"}], "affected": [{"vendor": "withstudiocms", "product": "studiocms", "versions": [{"version": "< 0.4.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T20:41:14.034Z"}, "descriptions": [{"lang": "en", "value": "StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API `getUsers` endpoint in StudioCMS uses the attacker-controlled `rank` query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token can request `rank=owner` and receive owner account records, including IDs, usernames, display names, and email addresses, even though the adjacent `getUser` endpoint correctly blocks admins from viewing owner users. This is an authorization inconsistency inside the same user-management surface. Version 0.4.4 fixes the issue."}], "source": {"advisory": "GHSA-xvf4-ch4q-2m24", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T15:00:04.391194Z", "id": "CVE-2026-32638", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T15:01:00.396Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32638", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T15:00:04.391194Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T15:00:55.453Z"}}], "cna": {"title": "StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens", "source": {"advisory": "GHSA-xvf4-ch4q-2m24", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "withstudiocms", "product": "studiocms", "versions": [{"status": "affected", "version": "< 0.4.4"}]}], "references": [{"url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-xvf4-ch4q-2m24", "name": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-xvf4-ch4q-2m24", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/withstudiocms/studiocms/commit/aebe8bcb3618bb07c6753e3f5c982c1fe6adea64", "name": "https://github.com/withstudiocms/studiocms/commit/aebe8bcb3618bb07c6753e3f5c982c1fe6adea64", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/withstudiocms/studiocms/releases/tag/studiocms@0.4.4", "name": "https://github.com/withstudiocms/studiocms/releases/tag/studiocms@0.4.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API `getUsers` endpoint in StudioCMS uses the attacker-controlled `rank` query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token can request `rank=owner` and receive owner account records, including IDs, usernames, display names, and email addresses, even though the adjacent `getUser` endpoint correctly blocks admins from viewing owner users. This is an authorization inconsistency inside the same user-management surface. Version 0.4.4 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T20:41:14.034Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32638", "state": "PUBLISHED", "dateUpdated": "2026-03-19T15:01:00.396Z", "dateReserved": "2026-03-12T15:29:36.560Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-18T20:41:14.034Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:studiocms:studiocms:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF77B4D2-70E1-4F62-AE18-5726017098A2", "versionEndExcluding": "0.4.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API `getUsers` endpoint in StudioCMS uses the attacker-controlled `rank` query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token can request `rank=owner` and receive owner account records, including IDs, usernames, display names, and email addresses, even though the adjacent `getUser` endpoint correctly blocks admins from viewing owner users. This is an authorization inconsistency inside the same user-management surface. Version 0.4.4 fixes the issue."}], "id": "CVE-2026-32638", "lastModified": "2026-03-19T18:40:31.577", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-18T21:16:26.770", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/withstudiocms/studiocms/commit/aebe8bcb3618bb07c6753e3f5c982c1fe6adea64"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/withstudiocms/studiocms/releases/tag/studiocms@0.4.4"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-xvf4-ch4q-2m24"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.4.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "studiocms", "source": "cna", "vendor": "withstudiocms"}, "product": "studiocms", "vendor": "withstudiocms"}], "analysis": {"en": {"generated_at": "2026-03-19T19:23:47.782455+00:00", "value": {"mitigation_remediation": ["Apply StudioCMS version 0.4.4 or newer to fix the authorization inconsistency.", "Ensure that admin tokens are tightly controlled and monitored for anomalous activity.", "Review and adjust admin role permissions to limit exposure of sensitive account data if an upgrade is not immediately possible.", "Check logs for unexpected getUsers requests with rank=owner."], "summary": {"action": "Patch Upgrade", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected package is withstudiocms:studiocms. All installations running a version older than 0.4.4 are vulnerable. Version 0.4.4 and later remove the flaw by correctly filtering owner records for admin tokens.", "description_and_impact": "StudioCMS REST API getUsers endpoint allowed an authenticated admin to retrieve owner account information, including IDs, usernames, display names, and email addresses, by setting the rank query parameter to owner. This exposure of sensitive user data constitutes an authorization inconsistency and leads to an information disclosure vulnerability. The weakness is identified as CWE-639, indicating untrusted input can be used to discover account information.", "risk_and_exploitability": "The CVSS score of 2.7 indicates low to moderate severity, and the EPSS score of less than 1% signals a very low probability of exploitation in the wild. The vulnerability is not listed in CISA's KEV catalog. Exploitation requires possession of a valid admin token, which is likely already granted to authorized administrators. An attacker could simply send a GET request to the getUsers endpoint with rank=owner to harvest owner account data."}}}}, "created": "2026-03-19T08:55:30.409848+00:00", "updated": "2026-03-25T11:52:13.192494+00:00", "vendors": ["withstudiocms", "withstudiocms$PRODUCT$studiocms"]}