Launch Week Day 1: Announcing Security Design Review
Start for Free
MEDIUM 6.5 npm

StudioCMS has Authorization Bypass Through User-Controlled Key

GHSA-8cw6-53m5-4932 · CVE-2026-24134

Published · Modified

Description

Summary

StudioCMS contains a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the "Visitor" role to access draft content created by Editor/Admin/Owner users.

Details

The Issue:
The endpoint /dashboard/content-management/edit?edit={UUID} validates user authentication but does NOT validate:

  1. User role (should require Editor/Admin/Owner)
  2. Content ownership (should verify the draft belongs to the user)

This allows users with "Visitor" role (lowest privilege) to access draft content created by Editor/Admin/Owner users by directly accessing the edit URL with the content UUID.

PoC

  • User A: Editor role (example username: dummy04)
  • User B: Visitor role (example username: dummy01)

Reproduction Steps:

Step 1 - Create draft as Editor:

  1. Login as User A (Editor role)
  2. Navigate to: http://localhost:4321/dashboard/content-management
  3. Create new content (it will stay as draft)
  4. After saving, note the UUID in the URL:
   http://localhost:4321/dashboard/content-management/edit?edit=bad87630-69a4-4cd6-bcb2-6965839dc148

Copy this UUID: bad87630-69a4-4cd6-bcb2-6965839dc148

Step 2 - Access draft as Visitor:

  1. Login as Visitor and get auth_session cookie
curl -X POST "http://127.0.0.1:4321/studiocms_api/auth/login" -F 'username=dummy01' -F 'password=dummy01pass$'
01
  1. Proof of Visitor permission
02
  1. Access Editor's draft using the UUID
curl "http://127.0.0.1:4321/dashboard/content-management/edit?edit=bad87630-69a4-4cd6-bcb2-6965839dc148" -H "Cookie: auth_session=qvawh6zv23hc2spu6xx7pzgrnn4rpd3q" -v

Result: Returns full HTML page with draft content (200 OK)

Impact

Impact Scenarios:

  1. Information Disclosure:

    • Visitor users can read unpublished drafts containing sensitive information
    • Drafts may contain confidential business information, unreleased announcements, or proprietary content
    • Competitive intelligence could be gathered from draft content

  2. Privacy Violation:

    • Personal notes, work-in-progress content, or internal communications in drafts exposed
    • Violation of content creator privacy expectations

  3. Business Impact:

    • Premature disclosure of marketing campaigns, product launches, or announcements
    • Loss of competitive advantage if draft strategies are exposed
    • Potential compliance issues if drafts contain regulated information

  4. Complete RBAC Bypass:

    • The entire role-based access control system for draft content is bypassed
    • "Visitor" role becomes equivalent to "Editor" for read access to drafts
    • Undermines the trust model of multi-user content management

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes