StudioCMS is a headless content management system that uses server-side rendering and Astro native technology. In versions prior to 0.4.4, the REST API endpoint getUsers accepts a 'rank' query parameter controlled by the user to filter user accounts by their rank, such as 'owner'. This parameter is used to decide whether owner accounts should be included in the response. However, this design flaw allows an attacker with an admin token to specify 'rank=owner' and retrieve sensitive owner account information including IDs, usernames, display names, and email addresses. This is an authorization bypass vulnerability categorized as CWE-639, where the authorization decision is improperly controlled by user input. Notably, the adjacent getUser endpoint correctly enforces restrictions preventing admins from viewing owner accounts, highlighting an inconsistency in access control within the same user management interface. The vulnerability does not affect confidentiality beyond exposure of owner account metadata, does not impact integrity or availability, and requires a privileged admin token for exploitation. The vulnerability was publicly disclosed on March 18, 2026, with no known exploits in the wild. The vendor fixed the issue in version 0.4.4 by correcting the authorization logic to prevent user-controlled filtering of owner accounts.

The primary impact of this vulnerability is unauthorized disclosure of owner account metadata to users with admin privileges but without owner-level access. While the exposed information is limited to IDs, usernames, display names, and email addresses, this data can facilitate targeted social engineering, phishing, or reconnaissance activities against high-privilege users. The vulnerability does not allow modification or deletion of data, nor does it affect system availability. Organizations using vulnerable versions of StudioCMS risk leaking sensitive user identity information within their administrative user base, potentially undermining trust and increasing the attack surface for further attacks. Since exploitation requires an admin token, the risk is limited to insiders or compromised admin accounts. However, in environments where admin tokens are shared or insufficiently protected, the vulnerability could be leveraged to escalate information access privileges. Overall, the impact is low but non-negligible in sensitive or high-security environments.

Organizations should upgrade StudioCMS to version 0.4.4 or later, where the authorization bypass vulnerability is fixed. Until upgrade is possible, administrators should restrict admin token issuance and enforce strict access controls to minimize the number of users with admin privileges. Monitoring and auditing API usage, especially calls to the getUsers endpoint with unusual 'rank' parameters, can help detect exploitation attempts. Additionally, implementing network-level restrictions to limit access to the CMS API to trusted IPs or VPNs can reduce exposure. Reviewing and hardening internal role-based access control policies to ensure separation of duties between admin and owner roles is recommended. Finally, educating administrators about the risks of sharing tokens and enforcing multi-factor authentication can reduce the likelihood of token compromise.