CVE-2026-24134
StudioCMS has Authorization Bypass Through User-Controlled Key
Description
### Summary StudioCMS contains a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the "Visitor" role to access draft content created by Editor/Admin/Owner users. ### Details **The Issue:** The endpoint `/dashboard/content-management/edit?edit={UUID}` validates user authentication but does NOT validate: 1. User role (should require Editor/Admin/Owner) 2. Content ownership (should verify the draft belongs to the user) This allows users with "Visitor" role (lowest privilege) to access draft content created by Editor/Admin/Owner users by directly accessing the edit URL with the content UUID. ### PoC - **User A:** Editor role (example username: `dummy04`) - **User B:** Visitor role (example username: `dummy01`) **Reproduction Steps:** **Step 1 - Create draft as Editor:** 1. Login as User A (Editor role) 2. Navigate to: `http://localhost:4321/dashboard/content-management` 3. Create new content (it will stay as draft) 4. After saving, note the UUID in the URL: ```` http://localhost:4321/dashboard/content-management/edit?edit=bad87630-69a4-4cd6-bcb2-6965839dc148 ```` Copy this UUID: `bad87630-69a4-4cd6-bcb2-6965839dc148` **Step 2 - Access draft as Visitor:** 1. Login as Visitor and get auth_session cookie ``` curl -X POST "http://127.0.0.1:4321/studiocms_api/auth/login" -F 'username=dummy01' -F 'password=dummy01pass$' ``` <img width="1128" height="376" alt="01" src="https://github.com/user-attachments/assets/86c5290e-e7a2-470e-bbf5-5f5247eddec1" /> 2. Proof of Visitor permission <img width="1899" height="450" alt="02" src="https://github.com/user-attachments/assets/aabd47d3-163f-4a56-8296-08bd40c5ccdc" /> 3. Access Editor's draft using the UUID ``` curl "http://127.0.0.1:4321/dashboard/content-management/edit?edit=bad87630-69a4-4cd6-bcb2-6965839dc148" -H "Cookie: auth_session=qvawh6zv23hc2spu6xx7pzgrnn4rpd3q" -v ``` **Result:** Returns full HTML page with draft content (200 OK) ### Impact **Impact Scenarios:** 1. **Information Disclosure:** - Visitor users can read unpublished drafts containing sensitive information - Drafts may contain confidential business information, unreleased announcements, or proprietary content - Competitive intelligence could be gathered from draft content 2. **Privacy Violation:** - Personal notes, work-in-progress content, or internal communications in drafts exposed - Violation of content creator privacy expectations 3. **Business Impact:** - Premature disclosure of marketing campaigns, product launches, or announcements - Loss of competitive advantage if draft strategies are exposed - Potential compliance issues if drafts contain regulated information 4. **Complete RBAC Bypass:** - The entire role-based access control system for draft content is bypassed - "Visitor" role becomes equivalent to "Editor" for read access to drafts - Undermines the trust model of multi-user content management