{"id":"CVE-2026-32104","summary":"StudioCMS: IDOR in User Notification Preferences Allows Any Authenticated User to Modify Any User's Settings","details":"StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account (id !== userData.user.id). Any authenticated visitor can modify notification preferences for any user, including disabling admin notifications to suppress detection of malicious activity. This vulnerability is fixed in 0.4.3.","aliases":["GHSA-9v82-xrm4-mp52"],"modified":"2026-04-02T13:53:40.254806Z","published":"2026-03-11T20:09:44.879Z","database_specific":{"cwe_ids":["CWE-639"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32104.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32104.json"},{"type":"ADVISORY","url":"https://github.com/withstudiocms/studiocms/security/advisories/GHSA-9v82-xrm4-mp52"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32104"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/withstudiocms/studiocms","events":[{"introduced":"0"},{"fixed":"3fd987c7a8fddef8366e2ce9544293ee290067fa"}]}],"versions":["0.1.0-beta.1","@astrolicious/studiocms-blog@0.1.0-beta.2","@astrolicious/studiocms-blog@0.1.0-beta.3","@astrolicious/studiocms-blog@0.1.0-beta.4","@astrolicious/studiocms@0.1.0-beta.2","@astrolicious/studiocms@0.1.0-beta.3","@astrolicious/studiocms@0.1.0-beta.4","@studiocms/assets@0.1.0-beta.5","@studiocms/assets@0.1.0-beta.6","@studiocms/assets@0.1.0-beta.7","@studiocms/auth0@0.1.0","@studiocms/auth0@0.1.0-beta.23","@studiocms/auth0@0.1.0-beta.24","@studiocms/auth0@0.1.0-beta.25","@studiocms/auth0@0.1.0-beta.26","@studiocms/auth0@0.1.0-beta.27","@studiocms/auth0@0.1.0-beta.28","@studiocms/auth0@0.1.0-beta.29","@studiocms/auth0@0.1.0-beta.30","@studiocms/auth0@0.1.0-beta.31","@studiocms/auth0@0.1.1","@studiocms/auth0@0.2.0","@studiocms/auth0@0.3.0","@studiocms/auth@0.1.0-beta.5","@studiocms/auth@0.1.0-beta.6","@studiocms/auth@0.1.0-beta.7","@studiocms/betaresources@0.1.0-beta.5","@studiocms/betaresources@0.1.0-beta.6","@studiocms/betaresources@0.1.0-beta.7","@studiocms/blog@0.1.0","@studiocms/blog@0.1.0-beta.10","@studiocms/blog@0.1.0-beta.11","@studiocms/blog@0.1.0-beta.12","@studiocms/blog@0.1.0-beta.13","@studiocms/blog@0.1.0-beta.14","@studiocms/blog@0.1.0-beta.15","@studiocms/blog@0.1.0-beta.16","@studiocms/blog@0.1.0-beta.17","@studiocms/blog@0.1.0-beta.18","@studiocms/blog@0.1.0-beta.19","@studiocms/blog@0.1.0-beta.20","@studiocms/blog@0.1.0-beta.21","@studiocms/blog@0.1.0-beta.22","@studiocms/blog@0.1.0-beta.23","@studiocms/blog@0.1.0-beta.24","@studiocms/blog@0.1.0-beta.25","@studiocms/blog@0.1.0-beta.26","@studiocms/blog@0.1.0-beta.27","@studiocms/blog@0.1.0-beta.28","@studiocms/blog@0.1.0-beta.29","@studiocms/blog@0.1.0-beta.30","@studiocms/blog@0.1.0-beta.31","@studiocms/blog@0.1.0-beta.5","@studiocms/blog@0.1.0-beta.6","@studiocms/blog@0.1.0-beta.7","@studiocms/blog@0.1.0-beta.8","@studiocms/blog@0.1.0-beta.9","@studiocms/blog@0.1.1","@studiocms/blog@0.2.0","@studiocms/blog@0.3.0","@studiocms/cloudinary-image-service@0.1.0","@studiocms/cloudinary-image-service@0.1.0-beta.19","@studiocms/cloudinary-image-service@0.1.0-beta.20","@studiocms/cloudinary-image-service@0.1.0-beta.21","@studiocms/cloudinary-image-service@0.1.0-beta.22","@studiocms/cloudinary-image-service@0.1.0-beta.23","@studiocms/cloudinary-image-service@0.1.0-beta.24","@studiocms/cloudinary-image-service@0.1.0-beta.25","@studiocms/cloudinary-image-service@0.1.0-beta.26","@studiocms/cloudinary-image-service@0.1.0-beta.27","@studiocms/cloudinary-image-service@0.1.0-beta.28","@studiocms/cloudinary-image-service@0.1.0-beta.29","@studiocms/cloudinary-image-service@0.1.0-beta.30","@studiocms/cloudinary-image-service@0.1.0-beta.31","@studiocms/cloudinary-image-service@0.1.1","@studiocms/cloudinary-image-service@0.2.0","@studiocms/cloudinary-image-service@0.3.0","@studiocms/core@0.1.0-beta.5","@studiocms/core@0.1.0-beta.6","@studiocms/core@0.1.0-beta.7","@studiocms/dashboard@0.1.0-beta.5","@studiocms/dashboard@0.1.0-beta.6","@studiocms/dashboard@0.1.0-beta.7","@studiocms/devapps@0.1.0","@studiocms/devapps@0.1.0-beta.10","@studiocms/devapps@0.1.0-beta.11","@studiocms/devapps@0.1.0-beta.12","@studiocms/devapps@0.1.0-beta.13","@studiocms/devapps@0.1.0-beta.14","@studiocms/devapps@0.1.0-beta.15","@studiocms/devapps@0.1.0-beta.16","@studiocms/devapps@0.1.0-beta.17","@studiocms/devapps@0.1.0-beta.18","@studiocms/devapps@0.1.0-beta.19","@studiocms/devapps@0.1.0-beta.20","@studiocms/devapps@0.1.0-beta.21","@studiocms/devapps@0.1.0-beta.22","@studiocms/devapps@0.1.0-beta.23","@studiocms/devapps@0.1.0-beta.24","@studiocms/devapps@0.1.0-beta.25","@studiocms/devapps@0.1.0-beta.26","@studiocms/devapps@0.1.0-beta.27","@studiocms/devapps@0.1.0-beta.28","@studiocms/devapps@0.1.0-beta.29","@studiocms/devapps@0.1.0-beta.30","@studiocms/devapps@0.1.0-beta.31","@studiocms/devapps@0.1.0-beta.8","@studiocms/devapps@0.1.0-beta.9","@studiocms/devapps@0.1.1","@studiocms/devapps@0.2.0","@studiocms/devapps@0.2.1","@studiocms/devapps@0.3.0","@studiocms/discord@0.1.0","@studiocms/discord@0.1.0-beta.23","@studiocms/discord@0.1.0-beta.24","@studiocms/discord@0.1.0-beta.25","@studiocms/discord@0.1.0-beta.26","@studiocms/discord@0.1.0-beta.27","@studiocms/discord@0.1.0-beta.28","@studiocms/discord@0.1.0-beta.29","@studiocms/discord@0.1.0-beta.30","@studiocms/discord@0.1.0-beta.31","@studiocms/discord@0.1.1","@studiocms/discord@0.2.0","@studiocms/discord@0.3.0","@studiocms/frontend@0.1.0-beta.5","@studiocms/frontend@0.1.0-beta.6","@studiocms/frontend@0.1.0-beta.7","@studiocms/github@0.1.0","@studiocms/github@0.1.0-beta.23","@studiocms/github@0.1.0-beta.24","@studiocms/github@0.1.0-beta.25","@studiocms/github@0.1.0-beta.26","@studiocms/github@0.1.0-beta.27","@studiocms/github@0.1.0-beta.28","@studiocms/github@0.1.0-beta.29","@studiocms/github@0.1.0-beta.30","@studiocms/github@0.1.0-beta.31","@studiocms/github@0.1.1","@studiocms/github@0.2.0","@studiocms/github@0.3.0","@studiocms/google@0.1.0","@studiocms/google@0.1.0-beta.23","@studiocms/google@0.1.0-beta.24","@studiocms/google@0.1.0-beta.25","@studiocms/google@0.1.0-beta.26","@studiocms/google@0.1.0-beta.27","@studiocms/google@0.1.0-beta.28","@studiocms/google@0.1.0-beta.29","@studiocms/google@0.1.0-beta.30","@studiocms/google@0.1.0-beta.31","@studiocms/google@0.1.1","@studiocms/google@0.2.0","@studiocms/google@0.3.0","@studiocms/html@0.1.0","@studiocms/html@0.1.0-beta.22","@studiocms/html@0.1.0-beta.23","@studiocms/html@0.1.0-beta.24","@studiocms/html@0.1.0-beta.25","@studiocms/html@0.1.0-beta.26","@studiocms/html@0.1.0-beta.27","@studiocms/html@0.1.0-beta.28","@studiocms/html@0.1.0-beta.29","@studiocms/html@0.1.0-beta.30","@studiocms/html@0.1.0-beta.31","@studiocms/html@0.1.1","@studiocms/html@0.2.0","@studiocms/html@0.2.1","@studiocms/html@0.3.0","@studiocms/imagehandler@0.1.0-beta.5","@studiocms/imagehandler@0.1.0-beta.6","@studiocms/imagehandler@0.1.0-beta.7","@studiocms/markdoc@0.1.0","@studiocms/markdoc@0.1.0-beta.13","@studiocms/markdoc@0.1.0-beta.14","@studiocms/markdoc@0.1.0-beta.15","@studiocms/markdoc@0.1.0-beta.16","@studiocms/markdoc@0.1.0-beta.17","@studiocms/markdoc@0.1.0-beta.18","@studiocms/markdoc@0.1.0-beta.19","@studiocms/markdoc@0.1.0-beta.20","@studiocms/markdoc@0.1.0-beta.21","@studiocms/markdoc@0.1.0-beta.22","@studiocms/markdoc@0.1.0-beta.23","@studiocms/markdoc@0.1.0-beta.24","@studiocms/markdoc@0.1.0-beta.25","@studiocms/markdoc@0.1.0-beta.26","@studiocms/markdoc@0.1.0-beta.27","@studiocms/markdoc@0.1.0-beta.28","@studiocms/markdoc@0.1.0-beta.29","@studiocms/markdoc@0.1.0-beta.30","@studiocms/markdoc@0.1.0-beta.31","@studiocms/markdoc@0.1.1","@studiocms/markdoc@0.2.0","@studiocms/markdoc@0.3.0","@studiocms/markdown-remark@1.3.0","@studiocms/markdown-remark@1.3.1","@studiocms/md@0.1.0","@studiocms/md@0.1.0-beta.22","@studiocms/md@0.1.0-beta.23","@studiocms/md@0.1.0-beta.24","@studiocms/md@0.1.0-beta.25","@studiocms/md@0.1.0-beta.26","@studiocms/md@0.1.0-beta.27","@studiocms/md@0.1.0-beta.28","@studiocms/md@0.1.0-beta.29","@studiocms/md@0.1.0-beta.30","@studiocms/md@0.1.0-beta.31","@studiocms/md@0.1.1","@studiocms/md@0.2.0","@studiocms/md@0.3.0","@studiocms/mdx@0.1.0","@studiocms/mdx@0.1.0-beta.13","@studiocms/mdx@0.1.0-beta.14","@studiocms/mdx@0.1.0-beta.15","@studiocms/mdx@0.1.0-beta.16","@studiocms/mdx@0.1.0-beta.17","@studiocms/mdx@0.1.0-beta.18","@studiocms/mdx@0.1.0-beta.19","@studiocms/mdx@0.1.0-beta.20","@studiocms/mdx@0.1.0-beta.21","@studiocms/mdx@0.1.0-beta.22","@studiocms/mdx@0.1.0-beta.23","@studiocms/mdx@0.1.0-beta.24","@studiocms/mdx@0.1.0-beta.25","@studiocms/mdx@0.1.0-beta.26","@studiocms/mdx@0.1.0-beta.27","@studiocms/mdx@0.1.0-beta.28","@studiocms/mdx@0.1.0-beta.29","@studiocms/mdx@0.1.0-beta.30","@studiocms/mdx@0.1.0-beta.31","@studiocms/mdx@0.1.1","@studiocms/mdx@0.2.0","@studiocms/mdx@0.3.0","@studiocms/migrator@0.1.0","@studiocms/migrator@0.1.0-beta.1","@studiocms/migrator@0.1.1","@studiocms/migrator@0.2.0","@studiocms/migrator@0.2.1","@studiocms/renderers@0.1.0-beta.5","@studiocms/renderers@0.1.0-beta.6","@studiocms/renderers@0.1.0-beta.7","@studiocms/robotstxt@0.1.0-beta.5","@studiocms/robotstxt@0.1.0-beta.6","@studiocms/robotstxt@0.1.0-beta.7","@studiocms/s3-storage@0.1.0","@studiocms/s3-storage@0.1.1","@studiocms/s3-storage@0.2.0","@studiocms/s3-storage@0.2.1","@studiocms/s3-storage@0.3.0","@studiocms/upgrade@0.2.0","@studiocms/upgrade@0.2.1","@studiocms/wysiwyg@0.1.0","@studiocms/wysiwyg@0.1.0-beta.24","@studiocms/wysiwyg@0.1.0-beta.25","@studiocms/wysiwyg@0.1.0-beta.26","@studiocms/wysiwyg@0.1.0-beta.27","@studiocms/wysiwyg@0.1.0-beta.28","@studiocms/wysiwyg@0.1.0-beta.29","@studiocms/wysiwyg@0.1.0-beta.30","@studiocms/wysiwyg@0.1.0-beta.31","@studiocms/wysiwyg@0.1.1","@studiocms/wysiwyg@0.2.0","@studiocms/wysiwyg@0.3.0","@withstudiocms/api-spec@0.1.0","@withstudiocms/api-spec@0.2.0","@withstudiocms/api-spec@0.3.0","@withstudiocms/api-spec@0.3.1","@withstudiocms/auth-kit@0.1.0","@withstudiocms/auth-kit@0.1.0-beta.1","@withstudiocms/auth-kit@0.1.0-beta.2","@withstudiocms/auth-kit@0.1.0-beta.3","@withstudiocms/auth-kit@0.1.0-beta.4","@withstudiocms/auth-kit@0.1.0-beta.5","@withstudiocms/auth-kit@0.1.0-beta.6","@withstudiocms/auth-kit@0.1.1","@withstudiocms/auth-kit@0.1.2","@withstudiocms/auth-kit@0.1.3","@withstudiocms/auth-kit@0.1.4","@withstudiocms/buildkit@0.1.0","@withstudiocms/buildkit@0.1.0-beta.1","@withstudiocms/buildkit@0.1.0-beta.2","@withstudiocms/buildkit@0.1.0-beta.3","@withstudiocms/buildkit@0.1.0-beta.4","@withstudiocms/buildkit@0.1.0-beta.5","@withstudiocms/buildkit@0.1.0-beta.6","@withstudiocms/buildkit@0.2.0","@withstudiocms/buildkit@0.2.1","@withstudiocms/cli-kit@0.2.0","@withstudiocms/cli-kit@0.2.1","@withstudiocms/component-registry@0.1.0","@withstudiocms/component-registry@0.1.0-beta.1","@withstudiocms/component-registry@0.1.0-beta.2","@withstudiocms/component-registry@0.1.0-beta.3","@withstudiocms/component-registry@0.1.0-beta.4","@withstudiocms/component-registry@0.1.0-beta.5","@withstudiocms/component-registry@0.1.0-beta.6","@withstudiocms/component-registry@0.1.0-beta.7","@withstudiocms/component-registry@0.1.1","@withstudiocms/component-registry@0.1.2","@withstudiocms/component-registry@0.1.3","@withstudiocms/component-registry@0.1.4","@withstudiocms/config-utils@0.1.0","@withstudiocms/config-utils@0.1.0-beta.1","@withstudiocms/config-utils@0.1.0-beta.2","@withstudiocms/config-utils@0.1.0-beta.3","@withstudiocms/config-utils@0.1.0-beta.4","@withstudiocms/config-utils@0.1.0-beta.5","@withstudiocms/config-utils@0.2.0","@withstudiocms/effect@0.1.0","@withstudiocms/effect@0.1.0-beta.1","@withstudiocms/effect@0.1.0-beta.2","@withstudiocms/effect@0.1.0-beta.3","@withstudiocms/effect@0.1.0-beta.4","@withstudiocms/effect@0.1.0-beta.5","@withstudiocms/effect@0.1.0-beta.6","@withstudiocms/effect@0.1.0-beta.7","@withstudiocms/effect@0.2.0","@withstudiocms/effect@0.3.0","@withstudiocms/effect@0.4.0","@withstudiocms/internal_helpers@0.1.0","@withstudiocms/internal_helpers@0.1.0-beta.1","@withstudiocms/internal_helpers@0.1.0-beta.2","@withstudiocms/internal_helpers@0.1.0-beta.3","@withstudiocms/internal_helpers@0.1.0-beta.4","@withstudiocms/internal_helpers@0.1.1","@withstudiocms/internal_helpers@0.2.0","@withstudiocms/kysely@0.1.0","@withstudiocms/kysely@0.1.0-beta.1","@withstudiocms/kysely@0.2.0","@withstudiocms/kysely@0.2.1","@withstudiocms/sdk@0.1.0","@withstudiocms/sdk@0.1.0-beta.1","@withstudiocms/sdk@0.1.1","@withstudiocms/sdk@0.2.0","@withstudiocms/sdk@0.3.0","@withstudiocms/template-lang@0.1.0","@withstudiocms/template-lang@0.1.0-beta.1","create-studiocms@0.4.0","create-studiocms@0.5.0","create-studiocms@0.6.0","effectify@0.1.0","effectify@0.1.1","studiocms@0.1.0","studiocms@0.1.0-beta.10","studiocms@0.1.0-beta.11","studiocms@0.1.0-beta.12","studiocms@0.1.0-beta.13","studiocms@0.1.0-beta.14","studiocms@0.1.0-beta.15","studiocms@0.1.0-beta.16","studiocms@0.1.0-beta.17","studiocms@0.1.0-beta.18","studiocms@0.1.0-beta.19","studiocms@0.1.0-beta.20","studiocms@0.1.0-beta.21","studiocms@0.1.0-beta.22","studiocms@0.1.0-beta.23","studiocms@0.1.0-beta.24","studiocms@0.1.0-beta.25","studiocms@0.1.0-beta.26","studiocms@0.1.0-beta.27","studiocms@0.1.0-beta.28","studiocms@0.1.0-beta.29","studiocms@0.1.0-beta.30","studiocms@0.1.0-beta.31","studiocms@0.1.0-beta.5","studiocms@0.1.0-beta.6","studiocms@0.1.0-beta.7","studiocms@0.1.0-beta.8","studiocms@0.1.0-beta.9","studiocms@0.1.1","studiocms@0.2.0","studiocms@0.3.0","studiocms@0.4.0","studiocms@0.4.1","studiocms@0.4.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32104.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"}]}