Studiocms
CVE-2026-30945
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner accounts. The handler accepts tokenID and userID directly from the request payload without verifying token ownership, caller identity, or role hierarchy. This enables targeted denial of service against critical integrations and automations. This vulnerability is fixed in 0.4.0.
AnalysisAI
StudioCMS prior to version 0.4.0 allows authenticated editors and above to revoke API tokens belonging to any user, including administrators and owners, due to insufficient authorization checks on the DELETE /studiocms_api/dashboard/api-tokens endpoint. An attacker with editor privileges can exploit this to disable critical integrations and automations by revoking tokens of higher-privileged accounts. No patch is currently available for affected versions.
Technical ContextAI
This vulnerability (CWE-639: Authorization Bypass Through User-Controlled Key) exists in the and owner accounts. The component. StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner accounts. The handler accepts tokenID and userID directly from the request payload without verifying token ownership, caller identity, or role hierarchy. This enables targeted denial of service against c
RemediationAI
Fixed in version 0.4.0.. Restrict network access to the affected service where possible.
Privilege escalation in StudioCMS versions prior to 0.4.0 enables authenticated Editor-level users to generate API token
High severity vulnerability in StudioCMS. The S3 storage manager's `isAuthorized()` function is declared `async` (return
Medium severity vulnerability in StudioCMS. The POST /studiocms_api/dashboard/create-reset-link endpoint allows any auth
headless content management system. versions up to 0.2.0 is affected by authorization bypass through user-controlled key
A security vulnerability in StudioCMS (CVSS 5.4). Remediation should follow standard vulnerability management procedures
## Summary The REST API `createUser` endpoint uses string-based rank checks that only block creating `owner` accounts,
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-8rgj-vrfr-6hqr