CVE-2026-30945

StudioCMS: IDOR — Arbitrary API Token Revocation Leading to Denial of Service

CVSS 7.1 HIGHEPSS 0.5%CWE-639 CWE-863

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 7.1EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

10 mar 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner accounts. The handler accepts tokenID and userID directly from the request payload without verifying token ownership, caller identity, or role hierarchy. This enables targeted denial of service against critical integrations and automations. This vulnerability is fixed in 0.4.0.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Productos afectados

withstudiocms · studiocms

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/withstudiocms/studiocms/commit/9eec9c3b45523b635cfe16d55aa55afabacbebe3 https://github.com/withstudiocms/studiocms/releases/tag/studiocms@0.4.0 https://github.com/withstudiocms/studiocms/security/advisories/GHSA-8rgj-vrfr-6hqr