Studiocms
CVE-2026-30944
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user (at least Editor) to generate API tokens for any other user, including owner and admin accounts. The endpoint fails to validate whether the requesting user is authorized to create tokens on behalf of the target user ID, resulting in a full privilege escalation. This vulnerability is fixed in 0.4.0.
AnalysisAI
Privilege escalation in StudioCMS versions prior to 0.4.0 enables authenticated Editor-level users to generate API tokens for arbitrary accounts, including administrative and owner roles, due to missing authorization validation on the /studiocms_api/dashboard/api-tokens endpoint. An attacker with basic editor privileges can exploit this to gain full administrative access without requiring the target account's credentials. No patch is currently available for affected installations.
Technical ContextAI
This vulnerability (CWE-639: Authorization Bypass Through User-Controlled Key) exists in the accounts. The component. StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user (at least Editor) to generate API tokens for any other user, including owner and admin accounts. The endpoint fails to validate whether the requesting user is authorized to create tokens on behalf of the target user ID, resulting in a full privilege escalation. This vulnerability is fixed in 0.4.0.
RemediationAI
Fixed in version 0.4.0.. Restrict network access to the affected service where possible.
High severity vulnerability in StudioCMS. The S3 storage manager's `isAuthorized()` function is declared `async` (return
StudioCMS prior to version 0.4.0 allows authenticated editors and above to revoke API tokens belonging to any user, incl
Medium severity vulnerability in StudioCMS. The POST /studiocms_api/dashboard/create-reset-link endpoint allows any auth
headless content management system. versions up to 0.2.0 is affected by authorization bypass through user-controlled key
A security vulnerability in StudioCMS (CVSS 5.4). Remediation should follow standard vulnerability management procedures
## Summary The REST API `createUser` endpoint uses string-based rank checks that only block creating `owner` accounts,
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-667w-mmh7-mrr4