CVE-2026-30944
📋 TL;DR
This vulnerability allows any authenticated user with at least Editor permissions in StudioCMS to generate API tokens for any other user, including administrative accounts. This results in full privilege escalation, enabling attackers to gain unauthorized access to sensitive functions. All StudioCMS instances running versions before 0.4.0 with authenticated users are affected.
💻 Affected Systems
- StudioCMS
📦 What is this software?
Studiocms by Studiocms
⚠️ Risk & Real-World Impact
Worst Case
An attacker with Editor access can generate API tokens for admin/owner accounts, gaining full administrative control over the StudioCMS instance, potentially leading to data theft, system compromise, or complete takeover.
Likely Case
Malicious or compromised Editor users escalate their privileges to admin level, accessing sensitive data, modifying configurations, or creating backdoors in the system.
If Mitigated
With proper access controls and monitoring, unauthorized token generation attempts are detected and blocked before privilege escalation occurs.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is well-documented in public advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.4.0
Vendor Advisory: https://github.com/withstudiocms/studiocms/security/advisories/GHSA-667w-mmh7-mrr4
Restart Required: Yes
Instructions:
1. Backup your StudioCMS instance and database. 2. Update StudioCMS to version 0.4.0 or later using your package manager or by downloading from GitHub. 3. Restart the StudioCMS service. 4. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Disable API Token Endpoint
allTemporarily disable or restrict access to the vulnerable /studiocms_api/dashboard/api-tokens endpoint
# Configure web server (nginx example)
location /studiocms_api/dashboard/api-tokens {
deny all;
return 403;
}
Implement Network Access Controls
linuxRestrict access to the StudioCMS dashboard to trusted IP addresses only
# Firewall rule example (iptables)
iptables -A INPUT -p tcp --dport 3000 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP
🧯 If You Can't Patch
- Implement strict access controls and monitor all API token generation activities
- Regularly audit user permissions and remove unnecessary Editor-level access
🔍 How to Verify
Check if Vulnerable:
Check StudioCMS version. If version is less than 0.4.0, the system is vulnerable. Test authenticated access to /studiocms_api/dashboard/api-tokens endpoint with Editor credentials.Check Version:
Check package.json or run: npm list @withstudiocms/studiocmsVerify Fix Applied:
After updating to 0.4.0, verify that Editor users can no longer generate API tokens for other users. Test the endpoint with Editor credentials attempting to create tokens for admin accounts.📡 Detection & Monitoring
Log Indicators:
- Multiple API token generation requests from non-admin users
- Token generation for user IDs different from the requesting user
- Unusual API token usage patterns
Network Indicators:
- POST requests to /studiocms_api/dashboard/api-tokens with different user_id parameters
- Increased API token generation activity
SIEM Query:
source="studiocms" AND (path="/studiocms_api/dashboard/api-tokens" AND method="POST") AND (user_role="editor" AND target_user_id!=current_user_id)