CVE-2026-32101: StudioCMS S3 Storage Manager Authorization Bypass via Missing `await` on Async Auth Check

March 12, 2026

The S3 storage manager’s isAuthorized() function is declared async (returns Promise<boolean>) but is called without await in both the POST and PUT handlers. Since a Promise object is always truthy in JavaScript, !isAuthorized(type) always evaluates to false, completely bypassing the authorization check. Any authenticated user with the lowest visitor role can upload, delete, rename, and list all files in the S3 bucket.

References

github.com/advisories/GHSA-mm78-fgq8-6pgr
github.com/withstudiocms/studiocms
github.com/withstudiocms/studiocms/security/advisories/GHSA-mm78-fgq8-6pgr
nvd.nist.gov/vuln/detail/CVE-2026-32101

Code Behaviors & Features

Detect and mitigate CVE-2026-32101 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →