CVE-2026-30945
Received Received - Intake
Privilege Escalation in StudioCMS API Token Revocation Endpoint

Publication date: 2026-03-10

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner accounts. The handler accepts tokenID and userID directly from the request payload without verifying token ownership, caller identity, or role hierarchy. This enables targeted denial of service against critical integrations and automations. This vulnerability is fixed in 0.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30945
EUVD
EUVD-2026-10557
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
studiocms studiocms to 0.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in StudioCMS versions prior to 0.4.0 in the DELETE /studiocms_api/dashboard/api-tokens endpoint. Any authenticated user with editor privileges or higher can revoke API tokens belonging to other users, including those of admin and owner accounts. This happens because the endpoint accepts tokenID and userID directly from the request payload without verifying token ownership, the caller's identity, or role hierarchy.

As a result, an attacker with editor or higher privileges can revoke critical API tokens of other users, potentially disrupting integrations and automations.

Impact Analysis

This vulnerability can lead to a targeted denial of service against important integrations and automations by allowing an attacker to revoke API tokens of other users, including administrators and owners.

Such disruptions can affect system availability and operational continuity, especially if critical API tokens are revoked unexpectedly.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade StudioCMS to version 0.4.0 or later, where the issue is fixed.

Until the upgrade is applied, restrict editor privileges to trusted users only, as any authenticated user with editor privileges or above can revoke API tokens of other users.

Monitor and audit API token revocation requests to detect any suspicious activity targeting critical integrations and automations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30945. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart