CVE-2026-8327
Password Change Bypass in Concrete CMS
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: ConcreteCMS
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| concrete_cms | concrete_cms | to 9.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
| CWE-620 | When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. |
| CWE-915 | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Concrete CMS versions below 9.5.0. It allows an attacker to change a user's password without needing to provide the current password. This happens because the user-profile edit controller passes the entire raw POST data to the update function without restricting which fields can be changed. Additionally, registered users can disable the per-user-IP-pinning feature in the session validator, which is designed to detect session hijacking.
How can this vulnerability impact me? :
An attacker or a malicious user could change another user's password without authorization, potentially locking the legitimate user out of their account. Furthermore, by disabling the IP-pinning session validation, attackers can bypass session-hardening mechanisms, increasing the risk of session hijacking and unauthorized access.