CVE-2026-30945
Published: 10 March 2026
Summary
CVE-2026-30945 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Studiocms Studiocms. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Account Access Removal (T1531); ranked at the 17.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).
Deeper analysis
CVE-2026-30945 affects StudioCMS, a server-side-rendered, Astro native, headless content management system, in versions prior to 0.4.0. The vulnerability resides in the DELETE /studiocms_api/dashboard/api-tokens endpoint, which permits any authenticated user with editor privileges or higher to revoke API tokens belonging to any other user, including admin and owner accounts. The endpoint handler accepts tokenID and userID directly from the request payload without verifying token ownership, caller identity, or role hierarchy, violating access control principles (CWE-639: Authorization Bypass Through User-Controlled Key, CWE-863: Incorrect Authorization). It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H), indicating high availability impact potential.
An attacker with editor-level or higher authenticated access can exploit this remotely over the network with low complexity by crafting a DELETE request specifying any target user's tokenID and userID. This allows selective revocation of API tokens used for critical integrations and automations, enabling targeted denial-of-service disruptions without impacting confidentiality or integrity directly. No user interaction is required, and the scope remains unchanged.
The vulnerability is addressed in StudioCMS version 0.4.0, as detailed in the project's security advisory (GHSA-8rgj-vrfr-6hqr), release notes, and fixing commit (9eec9c3b45523b635cfe16d55aa55afabacbebe3) on GitHub. Security practitioners should upgrade to 0.4.0 or later and review API token management practices to enforce proper ownership and role-based verification.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10557
Vulnerability details
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner accounts.…
more
The handler accepts tokenID and userID directly from the request payload without verifying token ownership, caller identity, or role hierarchy. This enables targeted denial of service against critical integrations and automations. This vulnerability is fixed in 0.4.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass on DELETE /api-tokens allows authenticated editor+ users to revoke arbitrary users' API tokens (including admins/owners), directly enabling Account Access Removal for targeted availability impact/DoS against integrations.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires the system to enforce authorized access to the DELETE /api-tokens endpoint by verifying token ownership and caller role before allowing revocation.
Limits the privileges granted to editor-level accounts so they cannot perform cross-user token revocation actions.
Requires access-control decisions for the token-revocation operation to be based on verified attributes rather than untrusted user-supplied IDs.