CVE-2026-32104

{"id": "CVE-2026-32104", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2026-03-11T21:16:16.457", "references": [{"url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-9v82-xrm4-mp52", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account (id !== userData.user.id). Any authenticated visitor can modify notification preferences for any user, including disabling admin notifications to suppress detection of malicious activity. This vulnerability is fixed in 0.4.3."}, {"lang": "es", "value": "StudioCMS es un sistema de gesti\u00f3n de contenido sin cabeza, nativo de Astro y renderizado en el lado del servidor. Antes de la versi\u00f3n 0.4.3, el endpoint updateUserNotifications acepta un ID de usuario del payload de la solicitud y lo utiliza para actualizar las preferencias de notificaci\u00f3n de ese usuario. Verifica que el llamador ha iniciado sesi\u00f3n, pero nunca verifica que el llamador es propietario de la cuenta objetivo (id !== userData.user.id). Cualquier visitante autenticado puede modificar las preferencias de notificaci\u00f3n para cualquier usuario, incluyendo la desactivaci\u00f3n de las notificaciones de administrador para suprimir la detecci\u00f3n de actividad maliciosa. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 0.4.3."}], "lastModified": "2026-03-17T15:35:38.860", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:studiocms:studiocms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BD3D1012-B2EE-465F-8398-96C5B01C1399", "versionEndExcluding": "0.4.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}