Description
The /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user (at least Editor) to generate API tokens for any other user, including owner and admin accounts. The endpoint fails to validate whether the requesting user is authorized to create tokens on behalf of the target user ID, resulting in a full privilege escalation.
Recommendation
Update the studiocms package to the latest compatible version. Followings are version details:
- Affected version(s): <= 0.3.0
- Patched version(s): 0.4.0
References
Related Issues
- Cloudflare Agents SDK has Insecure Direct Object Reference (IDOR) via Header-Based Email Routing - CVE-2026-1664
- Cube Core is vulnerable to privilege escalation via a specially crafted request - CVE-2026-25958
- Parse Server has a NoSQL injection via token type in password reset and email verification endpoints - CVE-2026-30941
- Parse Server has a password reset token single-use bypass via concurrent requests - CVE-2026-32943
- Tags:
- npm
- studiocms
Anything's wrong? Let us know Last updated on March 10, 2026