CVE-2026-8337
IDOR Vulnerability in Concrete CMS Surveys
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: ConcreteCMS
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| concrete_cms | concrete_cms | to 9.5.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
| CWE-565 | The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
Concrete CMS versions 9.5.0 and below have an Insecure Direct Object Reference (IDOR) vulnerability in their survey feature.
This vulnerability occurs when a site is configured to have both public and private surveys.
An unauthenticated attacker can exploit this by submitting a restricted optionID through the public survey's endpoint, effectively allowing them to vote in a restricted survey without authorization.
How can this vulnerability impact me? :
This vulnerability allows unauthorized users to participate in restricted surveys, potentially skewing survey results.
It can lead to inaccurate data collection and undermine the integrity of survey-based decisions or analytics.
Since the attacker does not need to be authenticated, it increases the risk of abuse from external sources.