CVE-2026-30945 is an authorization bypass vulnerability identified in StudioCMS, a server-side-rendered, Astro native, headless content management system. The flaw exists in versions prior to 0.4.0 within the DELETE /studiocms_api/dashboard/api-tokens endpoint. This endpoint allows authenticated users with editor privileges or higher to revoke API tokens belonging to any user, including those with administrative or ownership roles. The vulnerability arises because the API handler accepts tokenID and userID parameters directly from the request payload without verifying if the caller owns the token or has sufficient privileges to revoke it. There is no enforcement of role hierarchy or token ownership validation, violating secure authorization principles (CWE-639 and CWE-863). As a result, a malicious editor-level user can revoke API tokens of other users, disrupting integrations and automated processes that rely on these tokens. The vulnerability has a CVSS v3.1 score of 7.1 (high severity), with an attack vector over the network, low attack complexity, requiring privileges (editor or above), no user interaction, unchanged scope, no confidentiality impact, limited integrity impact, and high availability impact. No known exploits are reported in the wild as of publication. The issue is resolved in StudioCMS version 0.4.0 by implementing proper authorization checks to verify token ownership and caller privileges before allowing token revocation.

The primary impact of this vulnerability is the potential for denial of service against critical integrations and automation workflows that depend on API tokens for authentication. By revoking API tokens of other users, including administrators and owners, an attacker with editor-level access can disrupt business operations, cause service outages, and potentially delay incident response or administrative actions. Although confidentiality is not directly compromised, the integrity and availability of services relying on these tokens are significantly affected. Organizations using StudioCMS versions prior to 0.4.0 risk operational disruptions, especially those with complex automation or multiple administrators relying on API tokens. This could lead to increased downtime, loss of productivity, and potential financial losses. The vulnerability also undermines trust in role-based access controls within the CMS, potentially encouraging privilege escalation attempts or insider threats.

Organizations should immediately upgrade StudioCMS to version 0.4.0 or later, where this vulnerability is fixed with proper authorization checks. Until upgrading, restrict editor-level privileges to trusted users only and monitor API token revocation activities closely for suspicious behavior. Implement compensating controls such as logging and alerting on API token revocation requests to detect unauthorized attempts. Review and tighten role-based access control policies to minimize the number of users with editor or higher privileges. Consider isolating critical integrations and automations to use dedicated service accounts with limited token revocation rights. Additionally, conduct regular audits of API tokens and their usage to quickly identify and remediate disruptions. Employ network segmentation and zero-trust principles to limit lateral movement if an editor-level account is compromised. Finally, educate administrators and users about the risks associated with token management and enforce strong authentication mechanisms.