StudioCMS, a server-side-rendered, Astro native, headless content management system, prior to version 0.4.3, contains a privilege management vulnerability (CVE-2026-32106) due to inconsistent rank validation logic between its REST API and Dashboard API. The REST API's createUser endpoint performs rank checks using string comparisons that only block creation of owner-level accounts, whereas the Dashboard API uses a more robust indexOf-based rank comparison that prevents creating users with ranks equal to or higher than the caller's. This discrepancy allows an authenticated admin user to exploit the REST API to create additional admin accounts, circumventing intended privilege restrictions. Such unauthorized creation of admin accounts enables privilege proliferation, potentially allowing attackers or malicious insiders to maintain persistent elevated access within the system. The vulnerability affects all StudioCMS versions before 0.4.3 and does not require user interaction but does require authenticated admin privileges. The CVSS v3.1 base score is 4.7 (medium), reflecting the limited scope and the prerequisite of high privileges for exploitation. No known exploits are currently reported in the wild. The issue was publicly disclosed and fixed in version 0.4.3.

The vulnerability allows authenticated administrators to create additional admin accounts beyond intended limits, leading to privilege proliferation. This can result in unauthorized administrative access, enabling attackers or malicious insiders to maintain persistent control over the CMS environment. The impact includes potential unauthorized changes to content, configuration, or user management, which can compromise confidentiality, integrity, and availability of the CMS and its hosted content. While exploitation requires existing admin credentials, the ability to create multiple admin accounts increases the attack surface and complicates incident response and remediation. Organizations using vulnerable versions may face risks of insider threats, unauthorized data modification, and prolonged compromise if attackers leverage this flaw to establish backdoor accounts.

Organizations should immediately upgrade StudioCMS to version 0.4.3 or later, where this vulnerability is fixed. Until upgrading, restrict access to the REST API createUser endpoint to only highly trusted administrators and monitor API usage logs for suspicious account creation activities. Implement strict role-based access controls and audit trails to detect unauthorized privilege escalations. Additionally, consider employing multi-factor authentication for admin accounts to reduce the risk of credential compromise. Regularly review and prune admin accounts to remove any unauthorized or unnecessary privileged users. Network-level protections such as IP whitelisting for admin API endpoints can further reduce exposure. Finally, integrate vulnerability scanning and patch management processes to ensure timely updates of StudioCMS and related components.