CVE-2026-32101 is an incorrect authorization vulnerability (CWE-863) found in the s3-storage manager component of StudioCMS, a server-side-rendered, Astro native headless content management system. The root cause is a programming error where the asynchronous isAuthorized() function, which returns a Promise<boolean>, is invoked without the await keyword in both POST and PUT HTTP handlers. In JavaScript, a Promise object is always truthy, so the negation check (!isAuthorized(type)) incorrectly evaluates to false, effectively bypassing the authorization logic. As a result, any authenticated user—even those with the minimal visitor role—can bypass intended access controls and perform critical file operations on the connected Amazon S3 bucket, including uploading, deleting, renaming, and listing files. This bypass compromises the integrity and availability of stored content. The vulnerability affects all versions of the s3-storage manager prior to 0.3.1 and was publicly disclosed on March 11, 2026. While no known exploits are currently reported in the wild, the vulnerability is remotely exploitable without user interaction beyond authentication. The CVSS v3.1 base score is 7.6, reflecting high severity due to low attack complexity, required privileges, and significant impact on integrity and availability. The issue is resolved by properly awaiting the asynchronous authorization check in version 0.3.1.

The vulnerability allows any authenticated user with minimal privileges to bypass authorization controls and manipulate files in the S3 bucket used by StudioCMS. This can lead to unauthorized data modification, deletion, or addition, undermining data integrity. Attackers could deface websites, inject malicious content, or disrupt service availability by deleting or renaming critical files. Confidentiality impact is limited since the attacker must be authenticated, but integrity and availability impacts are high. Organizations relying on StudioCMS for content delivery or storage could face reputational damage, data loss, and service disruption. The ease of exploitation and network accessibility increase the risk of widespread abuse if not promptly mitigated.

Organizations should immediately upgrade the @studiocms s3-storage manager to version 0.3.1 or later, where the authorization bypass is fixed by correctly awaiting the asynchronous isAuthorized() function. Until upgrading, restrict access to the CMS to trusted users only and monitor S3 bucket activity for unauthorized file operations. Implement additional access controls at the S3 bucket policy level to limit file operations to authorized service accounts. Conduct code reviews to ensure all asynchronous authorization checks are properly awaited in custom or forked versions. Employ runtime monitoring and alerting for anomalous file operations. Regularly audit user roles and permissions within StudioCMS to minimize the number of users with authenticated access. Consider isolating the CMS environment and S3 buckets behind network segmentation and VPNs to reduce exposure.