CVE-2026-30944

Name of the Vulnerable Software and Affected Versions StudioCMS versions prior to 0.4.0

Description StudioCMS is a server-side-rendered, Astro native, headless content management system. The /studiocms api/dashboard/api-tokens API endpoint, in versions prior to 0.4.0, does not properly validate authorization when creating API tokens. This allows any authenticated user with at least Editor privileges to generate API tokens for any other user, including those with Owner or Admin accounts. This can lead to a full privilege escalation. The vulnerable parameter is the user ID.

Recommendations Update to version 0.4.0 or later.