cvedb.io
CVE-2026-32104
MEDIUM · CVSS 5.4
EPSS exploitation probability: 0%
Published 2026-03-11T21:16:16.457 · Last modified 2026-06-17T10:35:08.573

Summary

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account (id !== userData.user.id). Any authenticated visitor can modify notification preferences for any user, including disabling admin notifications to suppress detection of malicious activity. This vulnerability is fixed in 0.4.3.

Affected products

studiocms — studiocms

Does this affect you?

Add your gear to cvedb and we'll alert you only when studiocms ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.