The vulnerability resides in the /studiocms_api/dashboard/api-tokens endpoint of StudioCMS, which does not validate that the user creating a token is authorized to do so for the target user ID. As a result, any authenticated user at least with Editor level can generate API tokens for other users, including owners and administrators, thereby gaining full administrative access. This flaw permits unprivileged attackers to impersonate admin users and potentially modify or delete content, access sensitive data, or gain further system compromise. The weakness aligns with CWE‑639 (Authorization Bypass Through User-Controlled Key) and CWE‑863 (Privilege Escalation via Improper Access Control).

StudioCMS version releases prior to 0.4.0 are affected. The vulnerability is present in all releases shipped before the 0.4.0 update, which introduced proper access control for token generation. The product, developed by withstudiocms, is a server‑side‑rendered, Astro‑native, headless content management system deployed on web servers that expose a REST API.

The CVSS score of 8.8 indicates high severity. The calculated likelihood of exploitation is very low, and the vulnerability is not recorded in the known exploited vulnerabilities catalog. However, since any authenticated user can exploit the flaw, the attack vector is relatively simple and requires only possession of credentials that grant at least Editor role. Once exploited, the attacker can create tokens that authorize actions with elevated privileges. The lack of known active exploits implies a low exploitation probability, but the potential impact remains high if the flaw is discovered and used in a targeted campaign.