Description
The /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user (at least Editor) to generate API tokens for any other user, including owner and admin accounts. The endpoint fails to validate whether the requesting user is authorized to create tokens on behalf of the target user ID, resulting in a full privilege escalation.
Recommendation
Update the studiocms package to the latest compatible version. Followings are version details:
- Affected version(s): <= 0.3.0
- Patched version(s): 0.4.0
References
Related Issues
- Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration - CVE-2026-45716
- Parse Server has a password reset token single-use bypass via concurrent requests - CVE-2026-32943
- Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resourc - CVE-2026-22036
- Parse Server has role escalation and CLP bypass via direct `_Join` table write - CVE-2026-30966
You might also like:
- Tags:
- npm
- studiocms
Anything's wrong? Let us know Last updated on March 10, 2026