StudioCMS is a headless content management system built with Astro, designed for server-side rendering. In versions before 0.4.0, the DELETE /studiocms_api/dashboard/api-tokens endpoint suffers from an authorization bypass vulnerability identified as CVE-2026-30945. The endpoint allows users with editor privileges or above to revoke API tokens belonging to any user, including those with admin or owner roles. The root cause is that the API handler accepts tokenID and userID parameters directly from the request payload without verifying whether the caller owns the token or has sufficient privileges to revoke it. This lack of proper authorization checks violates secure design principles and enables an attacker to revoke tokens arbitrarily. Since API tokens are often used for critical integrations and automation workflows, revoking them disrupts service availability and integrity. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key) and CWE-863 (Incorrect Authorization). It does not impact confidentiality but can cause denial of service by invalidating tokens. Exploitation requires authentication with editor-level privileges or higher but no user interaction. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H), indicating a high severity. The issue was publicly disclosed on March 10, 2026, and fixed in StudioCMS version 0.4.0.

The primary impact of CVE-2026-30945 is the unauthorized revocation of API tokens belonging to other users, including high-privilege accounts such as admins and owners. This can lead to denial of service for critical integrations, automation processes, and third-party services relying on these tokens for authentication. Organizations using vulnerable versions of StudioCMS may experience service disruptions, operational delays, and potential loss of trust from clients or partners due to broken workflows. Although the vulnerability does not expose sensitive data directly, the integrity and availability of services are compromised. Attackers with editor-level access can exploit this flaw to selectively disable API tokens, potentially targeting key users or integrations to maximize disruption. This could be leveraged as part of a broader attack chain or insider threat scenario. The ease of exploitation and the scope of affected systems make this a significant risk for organizations relying on StudioCMS for content management and API-driven automation.

To mitigate this vulnerability, organizations should upgrade StudioCMS to version 0.4.0 or later, where proper authorization checks have been implemented to verify token ownership and caller privileges before allowing token revocation. Until upgrading is possible, administrators should restrict editor-level privileges to trusted users only and monitor API token revocation activities closely for suspicious behavior. Implementing additional access controls or custom middleware to enforce ownership verification on the DELETE /studiocms_api/dashboard/api-tokens endpoint can provide temporary protection. Logging and alerting on token revocation events, especially those initiated by non-admin users, can help detect exploitation attempts early. Regularly auditing user roles and permissions to ensure least privilege principles are followed will reduce the risk surface. Finally, organizations should review their integration dependencies on API tokens and have contingency plans to quickly reissue tokens if unauthorized revocations occur.