StudioCMS, a headless content management system built with Astro, prior to version 0.4.3, contains a privilege management vulnerability identified as CVE-2026-32106. The vulnerability stems from inconsistent authorization logic between two interfaces: the REST API's createUser endpoint and the Dashboard API. The REST API performs rank checks using string comparisons that only prevent creation of owner-level accounts, failing to block creation of admin-level accounts. Conversely, the Dashboard API uses an indexOf-based rank comparison that effectively prevents users from creating accounts at or above their own rank. This discrepancy allows an authenticated administrator to bypass intended restrictions by using the REST API to create additional admin accounts, thereby proliferating privileges beyond the original scope. This can lead to unauthorized privilege escalation and persistence within the CMS environment. The vulnerability requires the attacker to have administrative privileges already but does not require any further user interaction. The CVSS v3.1 base score is 4.7 (medium), reflecting the moderate impact and ease of exploitation given authenticated access. The issue was addressed and fixed in StudioCMS version 0.4.3, which harmonizes the rank checks across APIs to prevent privilege escalation.

The primary impact of this vulnerability is unauthorized privilege escalation and persistence within StudioCMS environments. An attacker with administrative access can create additional admin accounts, potentially circumventing internal controls and audit trails. This can lead to unauthorized changes to content, configuration, or user management, undermining the integrity and availability of the CMS. Organizations relying on StudioCMS for content delivery may face risks of data tampering, unauthorized content publication, or disruption of services. Although exploitation requires existing admin privileges, the ability to proliferate admin accounts increases the attack surface and complicates incident response. This vulnerability could facilitate insider threats or lateral movement within compromised environments. Given StudioCMS's niche but growing adoption, the impact is significant for organizations using affected versions, especially those with sensitive or high-value content management needs.

To mitigate this vulnerability, organizations should upgrade StudioCMS to version 0.4.3 or later, where the inconsistent rank checks have been corrected. Until upgrading is possible, restrict administrative access to trusted personnel only and monitor user creation activities closely, especially via the REST API. Implement strict API access controls and logging to detect anomalous account creation patterns. Employ role-based access control (RBAC) policies externally to limit the number of users with administrative privileges. Additionally, consider network segmentation to restrict access to the REST API endpoints to trusted internal networks or VPNs. Regularly audit user accounts and remove any unauthorized or suspicious admin accounts. Finally, integrate StudioCMS logs with centralized security monitoring solutions to enable timely detection of privilege escalation attempts.