StudioCMS is a headless content management system that uses server-side rendering with Astro. In versions before 0.4.4, the REST API endpoint getUsers accepts a 'rank' query parameter which is controlled by the requesting user. This parameter determines whether owner accounts are included in the returned user list. An attacker with an admin token can specify 'rank=owner' to bypass intended authorization restrictions and retrieve sensitive owner account information, including user IDs, usernames, display names, and email addresses. This is an example of CWE-639: Authorization Bypass Through User-Controlled Key, where improper validation of user-controlled input leads to unauthorized data access. Notably, the getUser endpoint enforces proper authorization checks and blocks admin users from viewing owner accounts, highlighting an inconsistency in access control logic within the same user management API surface. The vulnerability requires an authenticated admin token, limiting exposure to privileged users. The flaw was addressed and fixed in StudioCMS version 0.4.4 by correcting the authorization logic to properly restrict access based on user rank. The CVSS 3.1 base score is 2.7, indicating low severity due to limited confidentiality impact, no integrity or availability impact, and the need for high privileges to exploit.

The primary impact of this vulnerability is unauthorized disclosure of owner account information to users with admin privileges. While admin users typically have elevated access, owner accounts may represent a higher trust level or contain more sensitive information. Exposure of owner usernames, email addresses, and IDs could facilitate targeted phishing, social engineering, or further privilege escalation attempts if combined with other vulnerabilities. However, since exploitation requires an admin token, the risk is limited to insiders or compromised admin accounts. There is no impact on data integrity or system availability. Organizations using vulnerable versions of StudioCMS risk leaking sensitive user data within their administrative user base, which could undermine trust and compliance with data protection policies. The lack of known exploits in the wild reduces immediate threat but patching is recommended to maintain proper authorization controls and prevent potential misuse.

Organizations should upgrade StudioCMS to version 0.4.4 or later, where the authorization bypass issue is fixed. Until upgrading, administrators should restrict admin token issuance and monitor admin API usage for suspicious queries involving the 'rank' parameter. Implement additional logging and alerting on access to owner-level user data to detect potential abuse. Review and audit all user management API endpoints for consistent authorization enforcement to prevent similar inconsistencies. Employ the principle of least privilege by limiting admin roles to only necessary permissions and consider multi-factor authentication to reduce risk of admin token compromise. If custom integrations or API clients exist, verify they do not rely on the vulnerable getUsers endpoint behavior. Finally, maintain an incident response plan to address potential insider threats or misuse of admin privileges.