CVE-2026-30944
Published: 10 March 2026
Summary
CVE-2026-30944 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Studiocms Studiocms. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 15.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 requires enforcement of approved authorizations, directly addressing the endpoint's failure to validate requesting user authorization for generating API tokens on behalf of other users.
AC-6 enforces least privilege, preventing Editor-level users from performing administrative actions like creating API tokens for higher-privileged accounts.
AC-5 implements separation of duties, mitigating privilege escalation by ensuring no single role can generate tokens for other users without proper segregation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authorization bypass (IDOR-style) on an API token generation endpoint that directly allows low-privileged authenticated users to obtain valid tokens for owner/admin accounts, enabling privilege escalation to full CMS compromise.
NVD Description
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user (at least Editor) to generate API tokens for any other user, including owner and admin accounts. The endpoint fails to…
more
validate whether the requesting user is authorized to create tokens on behalf of the target user ID, resulting in a full privilege escalation. This vulnerability is fixed in 0.4.0.
Deeper analysisAI
CVE-2026-30944 is a privilege escalation vulnerability in StudioCMS, a server-side-rendered, Astro native, headless content management system, affecting versions prior to 0.4.0. The issue stems from the /studiocms_api/dashboard/api-tokens endpoint, which allows any authenticated user with at least Editor privileges to generate API tokens for any other user, including owner and admin accounts. This flaw arises because the endpoint does not validate whether the requesting user is authorized to create tokens on behalf of the specified target user ID, mapped to CWE-639 (Authorization Bypass Through User-Controlled Key) and CWE-863 (Incorrect Authorization).
Attackers require only low-privilege Editor access and can exploit the vulnerability remotely over the network with low attack complexity and no user interaction (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base score 8.8). By sending crafted requests to the endpoint, they can generate valid API tokens for higher-privileged accounts, enabling full compromise of the CMS instance through unauthorized access to administrative functions, data manipulation, and potential further lateral movement.
The vulnerability is fixed in StudioCMS 0.4.0. Mitigation involves upgrading to version 0.4.0 or later. Details are available in the patching commit (https://github.com/withstudiocms/studiocms/commit/f4a209fc090c90195e2419fff47b48a46eab7441), release notes (https://github.com/withstudiocms/studiocms/releases/tag/studiocms@0.4.0), and GitHub security advisory (https://github.com/withstudiocms/studiocms/security/advisories/GHSA-667w-mmh7-mrr4).
Details
- CWE(s)