CVE-2026-30945

Name of the Vulnerable Software and Affected Versions StudioCMS versions prior to 0.4.0

Description StudioCMS is a server-side-rendered, Astro native, headless content management system. The DELETE /studiocms api/dashboard/api-tokens API endpoint, before version 0.4.0, allows authenticated users with editor privileges or higher to revoke API tokens belonging to any user, including administrator and owner accounts. The handler accepts tokenID and userID directly from the request payload without verifying token ownership, caller identity, or role hierarchy. This can lead to a targeted denial of service against critical integrations and automations.

Recommendations Update to version 0.4.0 or later.