CVE-2026-24134: StudioCMS has Authorization Bypass Through User-Controlled Key
(updated )
StudioCMS contains a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the “Visitor” role to access draft content created by Editor/Admin/Owner users.
References
- github.com/advisories/GHSA-8cw6-53m5-4932
- github.com/withstudiocms/studiocms
- github.com/withstudiocms/studiocms/commit/efc10bee20db090fdd75463622c30dda390c50ad
- github.com/withstudiocms/studiocms/releases/tag/studiocms%400.2.0
- github.com/withstudiocms/studiocms/security/advisories/GHSA-8cw6-53m5-4932
- nvd.nist.gov/vuln/detail/CVE-2026-24134
Code Behaviors & Features
Detect and mitigate CVE-2026-24134 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →