CVE-2026-30945
Published: 10 March 2026
Summary
CVE-2026-30945 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Studiocms Studiocms. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Account Access Removal (T1531); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Applying decisions to each request prior to enforcement mitigates incorrect authorization by enforcing consistent policy evaluation.
Mandating policy-based enforcement reduces the chance of incorrect authorization logic being used.
Periodic review and update of procedures reduces incorrect authorization implementations over time.
Supervision identifies cases where authorization logic incorrectly permits unauthorized actions.
Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.
The authorization process and usage restrictions help prevent incorrect authorization for remote access types.
Establishing configuration and connection requirements helps ensure correct rather than incorrect authorization for wireless access.
Establishing connection authorization processes for mobile devices helps ensure authorization decisions are correctly implemented rather than incorrect.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass on DELETE /api-tokens allows authenticated editor+ users to revoke arbitrary users' API tokens (including admins/owners), directly enabling Account Access Removal for targeted availability impact/DoS against integrations.
NVD Description
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner accounts.…
more
The handler accepts tokenID and userID directly from the request payload without verifying token ownership, caller identity, or role hierarchy. This enables targeted denial of service against critical integrations and automations. This vulnerability is fixed in 0.4.0.
Deeper analysisAI
CVE-2026-30945 affects StudioCMS, a server-side-rendered, Astro native, headless content management system, in versions prior to 0.4.0. The vulnerability resides in the DELETE /studiocms_api/dashboard/api-tokens endpoint, which permits any authenticated user with editor privileges or higher to revoke API tokens belonging to any other user, including admin and owner accounts. The endpoint handler accepts tokenID and userID directly from the request payload without verifying token ownership, caller identity, or role hierarchy, violating access control principles (CWE-639: Authorization Bypass Through User-Controlled Key, CWE-863: Incorrect Authorization). It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H), indicating high availability impact potential.
An attacker with editor-level or higher authenticated access can exploit this remotely over the network with low complexity by crafting a DELETE request specifying any target user's tokenID and userID. This allows selective revocation of API tokens used for critical integrations and automations, enabling targeted denial-of-service disruptions without impacting confidentiality or integrity directly. No user interaction is required, and the scope remains unchanged.
The vulnerability is addressed in StudioCMS version 0.4.0, as detailed in the project's security advisory (GHSA-8rgj-vrfr-6hqr), release notes, and fixing commit (9eec9c3b45523b635cfe16d55aa55afabacbebe3) on GitHub. Security practitioners should upgrade to 0.4.0 or later and review API token management practices to enforce proper ownership and role-based verification.
Details
- CWE(s)