CVE-2026-32101
StudioCMS S3 Storage Manager Authorization Bypass via Missing `await` on Async Auth Check
CVSS Score
7.6
EPSS Score
0.0%
EPSS Percentile
0th
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.3.1, the S3 storage manager's isAuthorized() function is declared async (returns Promise<boolean>) but is called without await in both the POST and PUT handlers. Since a Promise object is always truthy in JavaScript, !isAuthorized(type) always evaluates to false, completely bypassing the authorization check. Any authenticated user with the lowest visitor role can upload, delete, rename, and list all files in the S3 bucket. This vulnerability is fixed in 0.3.1.
| CWE | CWE-863 |
| Vendor | @studiocms |
| Product | s3-storage |
| Published | Mar 11, 2026 |
| Last Updated | Mar 12, 2026 |
Stay Ahead of the Next One
Get instant alerts for @studiocms s3-storage
Be the first to know when new high vulnerabilities affecting @studiocms s3-storage are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low
Affected Versions
@studiocms / s3-storage
< 0.3.1