GHSA-WJ56-G96R-673Q

Vulnerability from github – Published: 2026-03-12 14:49 – Updated: 2026-03-12 14:49
VLAI?
Summary
StudioCMS: REST API Missing Rank Check Allows Admin to Create Peer Admin Accounts
Details

Summary

The REST API createUser endpoint uses string-based rank checks that only block creating owner accounts, while the Dashboard API uses indexOf-based rank comparison that prevents creating users at or above your own rank. This inconsistency allows an admin to create additional admin accounts via the REST API, enabling privilege proliferation and persistence.

Details

The REST API handler in packages/studiocms/frontend/pages/studiocms_api/_handlers/rest-api/v1/secure.ts:1365-1378:

// REST API — only blocks creating 'owner'
if (newUserRank === 'owner' && rank !== 'owner') {
    return yield* new RestAPIError({
        error: 'Unauthorized to create user with owner rank',
    });
}

if (rank === 'admin' && newUserRank === 'owner') {
    return yield* new RestAPIError({
        error: 'Unauthorized to create user with owner rank',
    });
}

// Missing: no check preventing admin from creating admin
// newUserRank='admin' passes all checks

The Dashboard API handler in _handlers/dashboard/create.ts uses the correct approach:

// Dashboard API — blocks creating users at or above own rank
const callerPerm = availablePermissionRanks.indexOf(userData.permissionLevel);
const targetPerm = availablePermissionRanks.indexOf(rank);

if (targetPerm >= callerPerm) {
    return yield* new DashboardAPIError({
        error: 'Unauthorized: insufficient permissions to assign target rank',
    });
}

With availablePermissionRanks = ['unknown', 'visitor', 'editor', 'admin', 'owner']: - Admin (index 3) creating admin (index 3): 3 >= 3 = blocked in Dashboard - In REST API: no such check — allowed

PoC

# 1. Use an admin-level API token

# 2. Create a new admin user via REST API
curl -X POST 'http://localhost:4321/studiocms_api/rest/v1/secure/users' \
  -H 'Authorization: Bearer <admin-api-token>' \
  -H 'Content-Type: application/json' \
  -d '{
    "username": "rogue_admin",
    "email": "rogue@attacker.com",
    "displayname": "Rogue Admin",
    "rank": "admin",
    "password": "StrongP@ssw0rd123"
  }'

# Expected: 403 Forbidden (admin should not create peer admin accounts)
# Actual: 200 with new admin user created

Impact

  • A compromised or rogue admin can create additional admin accounts as persistence mechanisms that survive password resets or token revocations
  • Inconsistent security model between Dashboard API and REST API creates confusion about intended authorization boundaries
  • Note: requires admin access (PR:H), which limits practical severity

Recommended Fix

Replace string-based checks with indexOf comparison in packages/studiocms/frontend/pages/studiocms_api/_handlers/rest-api/v1/secure.ts:

// Before:
if (newUserRank === 'owner' && rank !== 'owner') { ... }
if (rank === 'admin' && newUserRank === 'owner') { ... }

// After:
const availablePermissionRanks = ['unknown', 'visitor', 'editor', 'admin', 'owner'];
const callerPerm = availablePermissionRanks.indexOf(rank);
const targetPerm = availablePermissionRanks.indexOf(newUserRank);

if (targetPerm >= callerPerm) {
    return yield* new RestAPIError({
        error: 'Unauthorized: insufficient permissions to assign target rank',
    });
}
Severity ?
4.7 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.4.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "studiocms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32106"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-12T14:49:48Z",
    "nvd_published_at": "2026-03-11T21:16:16Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe REST API `createUser` endpoint uses string-based rank checks that only block creating `owner` accounts, while the Dashboard API uses `indexOf`-based rank comparison that prevents creating users at or above your own rank. This inconsistency allows an admin to create additional admin accounts via the REST API, enabling privilege proliferation and persistence.\n\n## Details\n\nThe REST API handler in `packages/studiocms/frontend/pages/studiocms_api/_handlers/rest-api/v1/secure.ts:1365-1378`:\n\n```typescript\n// REST API \u2014 only blocks creating \u0027owner\u0027\nif (newUserRank === \u0027owner\u0027 \u0026\u0026 rank !== \u0027owner\u0027) {\n    return yield* new RestAPIError({\n        error: \u0027Unauthorized to create user with owner rank\u0027,\n    });\n}\n\nif (rank === \u0027admin\u0027 \u0026\u0026 newUserRank === \u0027owner\u0027) {\n    return yield* new RestAPIError({\n        error: \u0027Unauthorized to create user with owner rank\u0027,\n    });\n}\n\n// Missing: no check preventing admin from creating admin\n// newUserRank=\u0027admin\u0027 passes all checks\n```\n\nThe Dashboard API handler in `_handlers/dashboard/create.ts` uses the correct approach:\n\n```typescript\n// Dashboard API \u2014 blocks creating users at or above own rank\nconst callerPerm = availablePermissionRanks.indexOf(userData.permissionLevel);\nconst targetPerm = availablePermissionRanks.indexOf(rank);\n\nif (targetPerm \u003e= callerPerm) {\n    return yield* new DashboardAPIError({\n        error: \u0027Unauthorized: insufficient permissions to assign target rank\u0027,\n    });\n}\n```\n\nWith `availablePermissionRanks = [\u0027unknown\u0027, \u0027visitor\u0027, \u0027editor\u0027, \u0027admin\u0027, \u0027owner\u0027]`:\n- Admin (index 3) creating admin (index 3): `3 \u003e= 3` = blocked in Dashboard\n- In REST API: no such check \u2014 allowed\n\n## PoC\n\n```bash\n# 1. Use an admin-level API token\n\n# 2. Create a new admin user via REST API\ncurl -X POST \u0027http://localhost:4321/studiocms_api/rest/v1/secure/users\u0027 \\\n  -H \u0027Authorization: Bearer \u003cadmin-api-token\u003e\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\n    \"username\": \"rogue_admin\",\n    \"email\": \"rogue@attacker.com\",\n    \"displayname\": \"Rogue Admin\",\n    \"rank\": \"admin\",\n    \"password\": \"StrongP@ssw0rd123\"\n  }\u0027\n\n# Expected: 403 Forbidden (admin should not create peer admin accounts)\n# Actual: 200 with new admin user created\n```\n\n## Impact\n\n- A compromised or rogue admin can create additional admin accounts as persistence mechanisms that survive password resets or token revocations\n- Inconsistent security model between Dashboard API and REST API creates confusion about intended authorization boundaries\n- Note: requires admin access (PR:H), which limits practical severity\n\n## Recommended Fix\n\nReplace string-based checks with `indexOf` comparison in `packages/studiocms/frontend/pages/studiocms_api/_handlers/rest-api/v1/secure.ts`:\n\n```typescript\n// Before:\nif (newUserRank === \u0027owner\u0027 \u0026\u0026 rank !== \u0027owner\u0027) { ... }\nif (rank === \u0027admin\u0027 \u0026\u0026 newUserRank === \u0027owner\u0027) { ... }\n\n// After:\nconst availablePermissionRanks = [\u0027unknown\u0027, \u0027visitor\u0027, \u0027editor\u0027, \u0027admin\u0027, \u0027owner\u0027];\nconst callerPerm = availablePermissionRanks.indexOf(rank);\nconst targetPerm = availablePermissionRanks.indexOf(newUserRank);\n\nif (targetPerm \u003e= callerPerm) {\n    return yield* new RestAPIError({\n        error: \u0027Unauthorized: insufficient permissions to assign target rank\u0027,\n    });\n}\n```",
  "id": "GHSA-wj56-g96r-673q",
  "modified": "2026-03-12T14:49:48Z",
  "published": "2026-03-12T14:49:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-wj56-g96r-673q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32106"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/withstudiocms/studiocms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "StudioCMS: REST API Missing Rank Check Allows Admin to Create Peer Admin Accounts"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.