Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-30944 is a high-severity privilege escalation vulnerability in StudioCMS versions prior to 0.4.0. The issue exists in the /studiocms_api/dashboard/api-tokens endpoint, which allows any authenticated user with at least Editor privileges to generate API tokens for any other user, including owner and admin accounts.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the endpoint does not properly verify whether the requesting user is authorized to create tokens on behalf of the specified target user ID. This lack of authorization check means an Editor can create API tokens for higher-privileged users, effectively escalating their privileges.'}, {'type': 'paragraph', 'content': "This is a Broken Object Level Authorization (BOLA) vulnerability, where the system only checks if the user is logged in but not if they have permission to act on the target user's resources."}] [2]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have severe impacts including full privilege escalation from an Editor-level user to an owner or admin-level user.'}, {'type': 'paragraph', 'content': "An attacker exploiting this flaw can generate API tokens for any user, gaining full API access with the impersonated user's permissions."}, {'type': 'list_item', 'content': 'Account takeover of any user by specifying their user ID.'}, {'type': 'list_item', 'content': 'Access to sensitive data such as user listings, content, and configuration settings.'}, {'type': 'list_item', 'content': 'Ability to modify content and manage the application with elevated privileges.'}, {'type': 'paragraph', 'content': 'Overall, this leads to a high risk of data breach, unauthorized modifications, and loss of control over the system.'}] [2]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring API requests to the /studiocms_api/dashboard/api-tokens endpoint, specifically POST requests that include a user ID in the payload different from the authenticated user. An Editor or similar user generating API tokens for other users, especially owner or admin accounts, indicates exploitation attempts.'}, {'type': 'paragraph', 'content': 'Suggested commands include using network traffic inspection tools like curl or HTTP clients to test the endpoint with different user IDs, for example:'}, {'type': 'list_item', 'content': 'curl -X POST https://your-studiocms-instance/studiocms_api/dashboard/api-tokens -H \'Cookie: auth_session=YOUR_SESSION_COOKIE\' -H \'Content-Type: application/json\' -d \'{"user":"TARGET_USER_ID","description":"test token"}\''}, {'type': 'paragraph', 'content': 'If the server responds with a valid API token for a user other than the authenticated one, it indicates the presence of the vulnerability.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade StudioCMS to version 0.4.0 or later, where this vulnerability has been fixed by enforcing proper authorization checks on the API token creation endpoint.

Until the upgrade is applied, restrict access to the /studiocms_api/dashboard/api-tokens endpoint to trusted users only, and monitor API token creation activities closely.

Additionally, review and audit existing API tokens for suspicious tokens that may have been created exploiting this vulnerability.

Useful 0 Not Useful 0