StudioCMS is a server-side-rendered, Astro native, headless content management system designed to manage content via API tokens. Prior to version 0.4.0, the API endpoint /studiocms_api/dashboard/api-tokens improperly authorizes requests to generate API tokens. Specifically, any authenticated user with Editor-level privileges or higher can request API tokens on behalf of any other user, including those with owner or admin roles. This occurs because the endpoint fails to validate whether the requesting user is authorized to create tokens for the target user ID, leading to an authorization bypass (CWE-639) and improper authorization (CWE-863). Attackers exploiting this flaw can escalate their privileges to full administrative control by generating tokens that grant them unrestricted access. The vulnerability has a CVSS 3.1 base score of 8.8, reflecting its high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction required. The issue was publicly disclosed on March 10, 2026, and fixed in StudioCMS version 0.4.0. No known exploits have been reported in the wild as of now.

The vulnerability allows attackers with at least Editor-level access to escalate privileges to full administrative control by generating API tokens for any user, including owners and admins. This can lead to complete compromise of the CMS environment, enabling unauthorized data access, modification, or deletion, and potentially disrupting content availability. Organizations relying on StudioCMS for content management risk exposure of sensitive data and loss of operational integrity. The ease of exploitation and the broad scope of affected users make this a critical risk for organizations using vulnerable versions. Attackers can leverage this flaw to bypass security controls, potentially pivot to other internal systems, or deface websites managed by StudioCMS.

Upgrade StudioCMS to version 0.4.0 or later, where the authorization checks on the /studiocms_api/dashboard/api-tokens endpoint have been properly implemented. Until upgrading, restrict Editor-level user privileges to trusted personnel only and monitor API token creation logs for suspicious activity. Implement network segmentation and access controls to limit exposure of the CMS API endpoints. Employ Web Application Firewalls (WAFs) with custom rules to detect and block anomalous API token generation requests. Conduct regular audits of user roles and API tokens to identify unauthorized privilege escalations. Additionally, consider implementing multi-factor authentication (MFA) for all users with elevated privileges to reduce the risk of compromised credentials being exploited.