StudioCMS is vulnerable to an Insecure Direct Object Reference (IDOR) that allows any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account. The POST /studiocms_api/dashboard/create-reset-link endpoint verifies the caller is an admin but does not enforce a role hierarchy or confirm that the target userId matches the caller’s identity. When combined with the POST /studiocms_api/dashboard/reset-password endpoint, this flaw permits an attacker to reset the owner account’s password and gain full control of the system.

All installations of StudioCMS running versions earlier than 0.4.3 are affected, including all releases from the first public release up through 0.4.2. The vendor product is withstudiocms:studiocms.

The CVSS score for this vulnerability is 6.8, indicating moderate severity. The EPSS score is below 1 %, suggesting a low but non‑zero likelihood of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalogue. An attacker with compromised admin credentials, or who successfully authenticates as an admin, can exploit the IDOR by generating a reset link for the owner account and then applying the reset, resulting in full system takeover. The attack requires only authenticated admin access and no additional privileges, making it a straightforward privilege escalation vector.