Untriaged
Permalink
CVE-2026-32101
7.6 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): HIGH
- Availability impact (A): LOW
StudioCMS S3 Storage Manager Authorization Bypass via Missing `await` on Async Auth Check
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.3.1, the S3 storage manager's isAuthorized() function is declared async (returns Promise<boolean>) but is called without await in both the POST and PUT handlers. Since a Promise object is always truthy in JavaScript, !isAuthorized(type) always evaluates to false, completely bypassing the authorization check. Any authenticated user with the lowest visitor role can upload, delete, rename, and list all files in the S3 bucket. This vulnerability is fixed in 0.3.1.
References
Affected products
s3-storage
- ==< 0.3.1
Matching in nixpkgs
pkgs.matrix-synapse-plugins.matrix-synapse-s3-storage-provider
Synapse storage provider to fetch and store media in Amazon S3
-
nixos-unstable s3-storage-provider-1.6.0
- nixpkgs-unstable s3-storage-provider-1.6.0
- nixos-unstable-small s3-storage-provider-1.6.0
-
nixos-25.11 s3-storage-provider-1.6.0
- nixos-25.11-small s3-storage-provider-1.6.0
- nixpkgs-25.11-darwin s3-storage-provider-1.6.0