StudioCMS, a server-side-rendered, Astro native, headless content management system, contains an authorization bypass vulnerability identified as CVE-2026-32104 (CWE-639). The flaw exists in the updateUserNotifications API endpoint, which accepts a user ID from the request payload to update notification preferences. Although the endpoint verifies that the caller is authenticated, it fails to confirm that the caller owns the target user account (i.e., it does not check if the provided user ID matches the authenticated user's ID). Consequently, any authenticated user can manipulate notification settings of any other user, including administrators. This can be exploited to disable critical admin notifications, potentially allowing malicious activities to go undetected. The vulnerability affects all StudioCMS versions prior to 0.4.3 and requires no user interaction beyond authentication. The CVSS 3.1 base score is 5.4 (medium severity), reflecting network attack vector, low complexity, required privileges, no user interaction, and impacts on integrity and availability but not confidentiality. No known exploits are currently reported in the wild. The issue was publicly disclosed on March 11, 2026, and fixed in version 0.4.3.

The primary impact of this vulnerability is the unauthorized modification of notification preferences across user accounts, including administrators. By disabling admin notifications, attackers can suppress alerts that would normally signal suspicious or malicious activities, thereby increasing the risk of prolonged undetected intrusions or abuse within affected organizations. This undermines the integrity and availability of the notification system, potentially delaying incident response and remediation efforts. While direct data confidentiality is not compromised, the indirect effect of reduced visibility into security events can lead to broader security breaches. Organizations relying on StudioCMS for content management and administrative oversight may face increased risk of stealthy attacks, especially in environments where notifications are critical for security monitoring. The vulnerability requires authentication but no additional user interaction, making it easier for insiders or compromised accounts to exploit. Given the growing adoption of headless CMS platforms, the scope of affected systems could be significant in organizations using StudioCMS versions prior to 0.4.3.

To mitigate this vulnerability, organizations should immediately upgrade StudioCMS to version 0.4.3 or later, where the authorization check properly verifies that the authenticated user matches the target user ID before allowing notification preference updates. In addition to patching, administrators should audit user notification settings for any unauthorized changes, especially disabling of admin alerts, and restore them as needed. Implementing stricter access controls and monitoring on API endpoints can help detect and prevent unauthorized requests. Employing anomaly detection on notification configuration changes may also provide early warning of exploitation attempts. Organizations should enforce the principle of least privilege, ensuring users have only necessary permissions, and consider multi-factor authentication to reduce risk of account compromise. Regular security reviews and penetration testing of CMS APIs can help identify similar authorization issues proactively.