StudioCMS is a headless content management system that, prior to version 0.4.3, contains a critical authorization bypass vulnerability identified as CVE-2026-32103. The issue exists in the POST /studiocms_api/dashboard/create-reset-link API endpoint, which allows any authenticated user with admin privileges to generate password reset tokens for arbitrary users, including the system owner. The root cause is insufficient authorization checks: while the endpoint confirms the caller is an admin, it does not enforce role hierarchy or verify that the target userId corresponds to the caller. This lack of validation enables privilege escalation by allowing an admin-level user to reset the password of the highest-privileged account. When combined with the POST /studiocms_api/dashboard/reset-password endpoint, this leads to a complete account takeover of the owner account. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key) and CWE-640 (Weak Password Recovery Mechanism). The CVSS 3.1 score is 6.8, reflecting network exploitability with low attack complexity, requiring high privileges but no user interaction, and impacting integrity with a scope change. No known exploits are currently reported in the wild. The issue was publicly disclosed on March 11, 2026, and fixed in StudioCMS version 0.4.3.

This vulnerability allows any authenticated admin user to escalate privileges by taking over the highest-privileged owner account, effectively compromising the entire StudioCMS installation. The attacker can reset the owner’s password, gain full control over the CMS, modify content, alter configurations, and potentially deploy malicious code or backdoors. This can lead to significant integrity breaches, loss of trust, and potential data manipulation or destruction. Since StudioCMS is a content management system, the impact extends to any websites or applications relying on it for content delivery, potentially affecting availability indirectly through malicious content or defacement. Organizations using vulnerable versions risk unauthorized administrative control, which can cascade into broader network compromise if the CMS is integrated with other systems. The medium CVSS score reflects that exploitation requires admin privileges, limiting immediate risk to insider threats or compromised admin accounts, but the impact on integrity and scope is severe.

The primary mitigation is to upgrade StudioCMS to version 0.4.3 or later, where this vulnerability is fixed. Until upgrade is possible, organizations should strictly limit admin privileges to trusted personnel and enforce strong access controls and monitoring on admin accounts. Implement multi-factor authentication (MFA) for all admin users to reduce the risk of credential compromise. Audit and log all password reset requests and admin actions to detect suspicious activity. Consider network segmentation to isolate the CMS from less trusted networks and restrict API access to known IP addresses. Review and harden password reset workflows and ensure that role hierarchy and user identity validations are enforced in custom or legacy CMS components. Regularly review user roles and permissions to minimize the number of admin accounts. Finally, conduct penetration testing to verify that no other authorization bypasses exist.