StudioCMS is a headless content management system that supports server-side rendering with Astro. In versions prior to 0.4.3, the POST /studiocms_api/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any user account, including the owner account. The vulnerability stems from the endpoint verifying only that the caller has admin privileges but failing to enforce role hierarchy or verify that the target userId matches the caller's identity. This means an admin can request a reset link for a higher-privileged user without restriction. When combined with the POST /studiocms_api/dashboard/reset-password endpoint, an attacker can reset the password of the owner account, effectively taking full control of the system. The flaw relates to CWE-639 (Authorization Bypass Through User-Controlled Key) and CWE-640 (Weak Password Recovery Mechanism). The vulnerability does not require user interaction but does require the attacker to have admin-level access. The CVSS 3.1 score is 6.8, reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and impact limited to integrity (account takeover) without confidentiality or availability impact. No known exploits are reported in the wild. The issue was publicly disclosed on March 11, 2026, and fixed in StudioCMS version 0.4.3.

This vulnerability allows an attacker with admin privileges to escalate their access by taking over the highest-privileged owner account. This can lead to complete compromise of the CMS, including unauthorized content changes, data manipulation, and potential deployment of malicious content or backdoors. The integrity of the system is severely impacted, as the attacker can bypass intended role hierarchies and controls. Although confidentiality and availability are not directly affected, the loss of control over the owner account can indirectly lead to broader security breaches and operational disruptions. Organizations relying on StudioCMS for critical content management risk reputational damage, data integrity loss, and potential regulatory non-compliance if exploited. Since exploitation requires admin credentials, insider threats or compromised admin accounts pose the greatest risk. The vulnerability's presence in versions prior to 0.4.3 means that any deployments not updated are at risk.

The primary mitigation is to upgrade StudioCMS to version 0.4.3 or later, where the vulnerability is fixed by enforcing proper role hierarchy checks and validating that the target userId matches the caller's identity. Until upgrade is possible, organizations should restrict admin privileges to trusted personnel only and monitor admin activities closely. Implement multi-factor authentication (MFA) for admin accounts to reduce the risk of credential compromise. Audit logs should be reviewed regularly for suspicious password reset requests or unusual admin actions. Additionally, consider implementing network segmentation and access controls to limit exposure of the StudioCMS admin interface. If feasible, temporarily disable password reset functionality or restrict it to owner accounts only until patched. Finally, conduct security awareness training to reduce insider threat risks.