CVE-2026-32106: StudioCMS: REST API Missing Rank Check Allows Admin to Create Peer Admin Accounts

March 12, 2026

The REST API createUser endpoint uses string-based rank checks that only block creating owner accounts, while the Dashboard API uses indexOf-based rank comparison that prevents creating users at or above your own rank. This inconsistency allows an admin to create additional admin accounts via the REST API, enabling privilege proliferation and persistence.

References

github.com/advisories/GHSA-wj56-g96r-673q
github.com/withstudiocms/studiocms
github.com/withstudiocms/studiocms/security/advisories/GHSA-wj56-g96r-673q
nvd.nist.gov/vuln/detail/CVE-2026-32106

Code Behaviors & Features

Detect and mitigate CVE-2026-32106 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →