CVE-2026-32101 is an incorrect authorization vulnerability (CWE-863) found in the s3-storage manager component of @studiocms, a headless content management system designed for server-side rendering with Astro. The root cause is a programming error where the asynchronous isAuthorized() function, which returns a Promise<boolean>, is invoked without the await keyword in both POST and PUT HTTP handlers. In JavaScript, a Promise object is always truthy, so the negation check (!isAuthorized(type)) incorrectly evaluates to false, effectively bypassing the authorization logic. This means that any authenticated user, regardless of their assigned role (including the lowest visitor role), can perform privileged operations on the S3 bucket such as uploading new files, deleting existing ones, renaming files, and listing all stored objects. The vulnerability affects all versions of s3-storage prior to 0.3.1. The flaw does not require user interaction beyond authentication and can be exploited remotely, making it a critical concern for deployments that rely on this CMS for content management and storage. The vulnerability has a CVSS v3.1 score of 7.6, reflecting high severity due to its impact on integrity and confidentiality, ease of exploitation, and network attack vector. The issue was publicly disclosed on March 11, 2026, and fixed in version 0.3.1 of the s3-storage package. No known exploits have been reported in the wild as of now.

The vulnerability allows unauthorized modification and access to files stored in the S3 bucket used by the CMS, severely compromising data integrity and confidentiality. Attackers with minimal privileges can upload malicious files, delete critical content, rename files to disrupt operations, or exfiltrate sensitive data by listing bucket contents. This can lead to data loss, defacement, unauthorized data disclosure, and potential further exploitation if malicious files are uploaded and executed. Organizations relying on @studiocms for content management and storage are at risk of operational disruption and reputational damage. Since the flaw requires only authenticated access with minimal privileges, insider threats or compromised low-privilege accounts can be leveraged to exploit this vulnerability. The availability impact is low to moderate, as attackers could delete or rename files, but full denial of service is unlikely. The vulnerability’s network accessibility and lack of user interaction requirement increase its risk profile globally.

Organizations should immediately upgrade the @studiocms s3-storage component to version 0.3.1 or later, where the authorization bypass is fixed by properly awaiting the isAuthorized() Promise. Until patching is possible, restrict access to the CMS to trusted users only and enforce strict authentication and monitoring of user activities, especially for low-privilege accounts. Implement additional access controls at the S3 bucket level, such as bucket policies or IAM roles, to limit file operations to only necessary users and services, thereby reducing the impact of compromised CMS authorization. Enable logging and alerting on S3 bucket operations to detect suspicious activities like unexpected uploads or deletions. Conduct thorough audits of existing files for unauthorized changes or malicious content. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect anomalous API requests targeting file operations. Finally, educate developers and administrators on proper asynchronous handling in JavaScript to prevent similar logic flaws.