CVE-2026-30944

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions StudioCMS versions prior to 0.4.0

Description StudioCMS is a server-side-rendered, Astro native, headless content management system. The /studiocms api/dashboard/api-tokens API endpoint, in versions prior to 0.4.0, does not properly validate authorization when creating API tokens. This allows any authenticated user with at least Editor privileges to generate API tokens for any other user, including those with Owner or Admin accounts. This can lead to a full privilege escalation. The vulnerable parameter is the user ID.

Recommendations Update to version 0.4.0 or later.

Exploit

Fix

IDOR

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-639CWE-863

Related Identifiers

CVE-2026-30944

GHSA-667W-MMH7-MRR4

Affected Products

Studiocms

CVE-2026-30944

Weakness Enumeration

Related Identifiers

Affected Products

References · 13