CVE-2026-32638: StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens
The REST API getUsers endpoint in StudioCMS uses the attacker-controlled rank query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token can request rank=owner and receive owner account records, including IDs, usernames, display names, and email addresses, even though the adjacent getUser endpoint correctly blocks admins from viewing owner users. This is an authorization inconsistency inside the same user-management surface.
References
- github.com/advisories/GHSA-xvf4-ch4q-2m24
- github.com/withstudiocms/studiocms
- github.com/withstudiocms/studiocms/commit/aebe8bcb3618bb07c6753e3f5c982c1fe6adea64
- github.com/withstudiocms/studiocms/releases/tag/studiocms@0.4.4
- github.com/withstudiocms/studiocms/security/advisories/GHSA-xvf4-ch4q-2m24
- nvd.nist.gov/vuln/detail/CVE-2026-32638
Code Behaviors & Features
Detect and mitigate CVE-2026-32638 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →