Home / Vulnerability Intelligence / CVE-2026-30944

CVE-2026-30944 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 11, 2026

StudioCMS - Broken Access Control

Published: March 10, 2026Updated: March 11, 2026PoC AvailableRemote Exploitable

Overview

StudioCMS < 0.4.0 contains a broken access control vulnerability caused by improper authorization validation in /studiocms_api/dashboard/api-tokens endpoint, letting authenticated users escalate privileges by generating API tokens for any user.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 3.7%(Probability of exploitation in next 30 days)

Impact

Authenticated users can escalate privileges to owner or admin by generating API tokens for any user.

Mitigation

Update to version 0.4.0 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 10, 2026

🟠 CVE-2026-30944 - High (8.8) StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user (at least Editor) to generate API tokens for any other user, incl... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-30944/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

GitHub Repositories(1 repo)

https://github.com/FilipeGaudard/CVE-2026-30944-PoC

Related Resources

Details

CVE ID: CVE-2026-30944
Severity: High
CVSS Score: 8.8
Type: broken_access_control
Status: unconfirmed
EPSS: 3.7%
Social Posts: 1

CWE

CWE-639

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

3.7%Probability of exploitation in the next 30 days