CVE-2026-32103

MEDIUM 6.8

StudioCMS: IDOR — Admin-to-Owner Account Takeover via Password Reset Link Generation

CVSS Score

6.8

EPSS Score

0.0%

EPSS Percentile

0th

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the POST /studiocms_api/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account. The handler verifies that the caller is an admin but does not enforce role hierarchy, nor does it validate that the target userId matches the caller's identity. Combined with the POST /studiocms_api/dashboard/reset-password endpoint, this allows a complete account takeover of the highest-privileged account in the system. This vulnerability is fixed in 0.4.3.

CWE	CWE-639 CWE-640
Vendor	withstudiocms
Product	studiocms
Published	Mar 11, 2026
Last Updated	Mar 12, 2026

Stay Ahead of the Next One

Get instant alerts for withstudiocms studiocms

Be the first to know when new medium vulnerabilities affecting withstudiocms studiocms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

withstudiocms / studiocms

< 0.4.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/withstudiocms/studiocms/security/advisories/GHSA-h7vr-cg25-jf8c