StudioCMS is a headless content management system built with Astro, designed for server-side rendering. The vulnerability identified as CVE-2026-32104 involves an authorization bypass in the updateUserNotifications API endpoint present in versions prior to 0.4.3. This endpoint accepts a user ID in the request payload and updates that user's notification preferences. Although the system verifies that the caller is authenticated, it fails to verify that the caller owns the target user account (i.e., it does not check if the provided user ID matches the authenticated user's ID). Consequently, any authenticated user can modify notification settings for any other user, including administrators. This can be exploited to disable critical admin notifications, which could suppress alerts about malicious activities or system issues, facilitating stealthy attacks or prolonged unauthorized access. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key). The CVSS v3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, requiring privileges but no user interaction, with impacts on integrity and availability but not confidentiality. No known exploits are reported in the wild as of publication. The issue is resolved in StudioCMS version 0.4.3 by adding proper ownership verification before allowing notification preference updates.

The primary impact of this vulnerability is the unauthorized modification of user notification preferences, which can have several downstream consequences. By disabling admin notifications, attackers can conceal their malicious activities, delaying detection and response. This undermines the integrity of the notification system and reduces the overall security posture of affected organizations. While the vulnerability does not directly expose sensitive data (no confidentiality impact), it can facilitate stealthy persistence or privilege escalation attempts by hiding alerts. Availability may be affected if critical notifications are suppressed, potentially leading to missed warnings about system health or security incidents. Organizations relying on StudioCMS for content management and administrative workflows may face increased risk of undetected compromise. The vulnerability requires an attacker to be authenticated, which limits exposure to internal users or compromised accounts, but insider threats or credential theft scenarios remain significant risks. The scope is limited to StudioCMS instances running versions prior to 0.4.3, but given the growing adoption of headless CMS platforms, the impact could be broad in sectors using this software for web content management.

The most effective mitigation is to upgrade StudioCMS to version 0.4.3 or later, where the vulnerability is fixed by enforcing ownership verification on the updateUserNotifications endpoint. Until upgrade is possible, organizations should implement strict access controls and monitoring on StudioCMS instances, restricting authenticated user permissions to the minimum necessary. Audit logs should be enabled and regularly reviewed to detect unusual changes to notification settings, especially those affecting admin accounts. Network segmentation and multi-factor authentication can reduce the risk of unauthorized access to authenticated accounts. Additionally, organizations can implement compensating controls such as external alerting mechanisms independent of StudioCMS notifications to ensure critical events are not missed. Security teams should educate users about the risks of credential compromise and monitor for suspicious activity indicative of exploitation attempts. Finally, applying web application firewalls (WAF) with custom rules to detect anomalous API calls targeting user notification updates may provide temporary protection.