CVE-2026-24134 is a security vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) and CWE-862 (Missing Authorization) affecting StudioCMS, a headless content management system built with Astro. The vulnerability exists in versions prior to 0.2.0 and allows users assigned the 'Visitor' role, which is typically a low-privilege role, to bypass authorization controls and access draft content created by higher-privileged users such as Editors, Admins, or Owners. This occurs due to insufficient validation of user-controlled keys used to retrieve content objects, leading to Broken Object Level Authorization (BOLA). The flaw enables unauthorized read access to confidential draft content, violating confidentiality but not impacting data integrity or system availability. The vulnerability can be exploited remotely over the network without user interaction and requires only low privileges, making it relatively easy to exploit. The vendor addressed this issue in StudioCMS version 0.2.0 by implementing proper authorization checks to ensure that users can only access content appropriate to their roles. No known exploits are currently reported in the wild. The CVSS v3.1 base score is 6.5, reflecting medium severity with a vector indicating network attack vector, low attack complexity, privileges required, no user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact.

For European organizations, this vulnerability poses a significant risk to the confidentiality of unpublished or draft content managed within StudioCMS environments running vulnerable versions. Unauthorized disclosure of draft content could lead to premature exposure of sensitive information, intellectual property leaks, or reputational damage, particularly for media, publishing, and marketing companies relying on StudioCMS for content workflows. Since the vulnerability requires only a low-privilege Visitor role, attackers could exploit it by registering or compromising low-level user accounts, increasing the attack surface. Although the vulnerability does not affect data integrity or availability, the confidentiality breach alone can have severe consequences, including regulatory compliance issues under GDPR if personal or sensitive data is exposed. The risk is heightened in organizations with collaborative content creation processes where draft content may contain sensitive strategic or personal information.

The primary mitigation is to upgrade StudioCMS installations to version 0.2.0 or later, where the authorization bypass vulnerability has been fixed. Organizations should immediately audit their CMS user roles and permissions to ensure that low-privilege users cannot access content beyond their authorization. Implement strict access control policies and validate authorization checks on all user-controlled keys or identifiers used to retrieve content objects. Employ logging and monitoring to detect unusual access patterns to draft or restricted content. Additionally, conduct regular security assessments and penetration testing focused on access control mechanisms within the CMS. If upgrading is not immediately feasible, consider restricting or disabling the Visitor role or limiting its capabilities until the patch can be applied. Finally, educate content creators and administrators about the risks of unauthorized content exposure and enforce secure content management practices.