CVE-2026-8350
Analyzed Analyzed - Analysis Complete

Privilege Escalation in Concrete CMS via Missing Authorization

Vulnerability report for CVE-2026-8350, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-21

Last updated on: 2026-05-26

Assigner: ConcreteCMS

Description

Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access to the bulk user assignment dashboard page can add any user email to any group and can remove legitimate admins. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks Vincent55 for reporting.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-21
Last Modified
2026-05-26
Generated
2026-07-02
AI Q&A
2026-05-22
EPSS Evaluated
2026-06-30
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
concretecms concrete_cms to 9.5.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Concrete CMS versions 9.5.0 and below have a vulnerability in the bulk_user_assignment.php component where authorization checks are missing.

This flaw allows any authenticated user who can access the bulk user assignment dashboard page to escalate their privileges.

Specifically, such a user can add any user email to any group, including administrative groups, and can also remove legitimate administrators.

Impact Analysis

The vulnerability can lead to privilege escalation, allowing an attacker with basic authenticated access to gain administrative control.

This means unauthorized users could manipulate user group memberships, potentially removing legitimate admins and adding unauthorized users to privileged groups.

Such unauthorized administrative access can compromise the security and integrity of the CMS, leading to further exploitation or data breaches.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8350. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart