CVE-2026-30945 HIGH

CVE-2026-30945: StudioCMS: IDOR — Arbitrary API Token Revocation Leading to Denial of Service

Vendor Withstudiocms
Product studiocms
Weakness CWE-639 · IDOR
Published March 10, 2026
Last update March 10, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

What the vulnerability does

01Description

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner accounts. The handler accepts tokenID and userID directly from the request payload without verifying token ownership, caller identity, or role hierarchy. This enables targeted denial of service against critical integrations and automations. This vulnerability is fixed in 0.4.0.

Key dates

02Disclosure timeline

March 10, 2026 CVE published
March 10, 2026 Record updated

Related vulnerabilities

04Related CVE