Description
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner accounts. The handler accepts tokenID and userID directly from the request payload without verifying token ownership, caller identity, or role hierarchy. This enables targeted denial of service against critical integrations and automations. This vulnerability is fixed in 0.4.0.
Published: 2026-03-10
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service to integrations via unauthorized token revocation
Action: Immediate Patch
AI Analysis

Impact

StudioCMS allows any authenticated user with editor privileges or higher to delete API tokens of any account by sending a DELETE request to /studiocms_api/dashboard/api-tokens. The request payload accepts a tokenID and userID without validating that the token belongs to the caller or that the caller has authority over that account. This unauthorized removal of tokens can prevent automated tools, third‑party services, or scheduled jobs from authenticating, effectively causing a denial of service to those integrations. The weakness is an IDOR, classified as CWE‑639 and CWE‑863.

Affected Systems

The vulnerability exists in StudioCMS releases before 0.4.0. The affected product is StudioCMS, as identified by the vendor withstudiocms and the product studiocms. All installations that have not applied the 0.4.0 patch or later are susceptible, regardless of the host environment.

Risk and Exploitability

The CVSS score of 7.1 reflects moderate to high severity. The EPSS score is below 1%, indicating very low probability that this vulnerability is exploited in the wild. The vulnerability is not currently listed in the CISA KEV catalog. An attacker needs to be authenticated with at least editor role, so the attack is not purely remote and requires legitimate credentials. Still, the ease of revoking tokens and the potential disruption to business-critical integrations make it a significant risk if not mitigated.

Generated by OpenCVE AI on April 16, 2026 at 03:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade StudioCMS to version 0.4.0 or later, which removes the vulnerable endpoint and implements proper ownership checks
  • If an upgrade is not immediately, modify your application to enforce that only the token owner, administrators, or privileged services can request token revocation, rejecting requests for other users' tokens
  • Implement monitoring of token revocation logs to detect suspicious activity and, if feasible, temporarily disable the DELETE /studiocms_api/dashboard/api-tokens endpoint on older installations until a patch can be applied

Generated by OpenCVE AI on April 16, 2026 at 03:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8rgj-vrfr-6hqr StudioCMS: IDOR — Arbitrary API Token Revocation Leading to Denial of Service
History

Tue, 17 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Studiocms
Studiocms studiocms
CPEs cpe:2.3:a:studiocms:studiocms:*:*:*:*:*:*:*:*
Vendors & Products Studiocms
Studiocms studiocms

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Withstudiocms
Withstudiocms studiocms
Vendors & Products Withstudiocms
Withstudiocms studiocms

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner accounts. The handler accepts tokenID and userID directly from the request payload without verifying token ownership, caller identity, or role hierarchy. This enables targeted denial of service against critical integrations and automations. This vulnerability is fixed in 0.4.0.
Title StudioCMS: IDOR — Arbitrary API Token Revocation Leading to Denial of Service
Weaknesses CWE-639
CWE-863
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

Studiocms Studiocms
Withstudiocms Studiocms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T19:16:41.910Z

Reserved: 2026-03-07T17:34:39.979Z

Link: CVE-2026-30945

cve-icon Vulnrichment

Updated: 2026-03-10T19:16:33.405Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:54.433

Modified: 2026-03-17T16:17:30.660

Link: CVE-2026-30945

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T04:00:09Z

Weaknesses