CVE-2026-8350
Analyzed Analyzed - Analysis Complete
Privilege Escalation in Concrete CMS via Missing Authorization

Publication date: 2026-05-21

Last updated on: 2026-05-26

Assigner: ConcreteCMS

Description
Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access to the bulk user assignment dashboard page can add any user email to any group and can remove legitimate admins. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks Vincent55 for reporting.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-26
Generated
2026-06-11
AI Q&A
2026-05-22
EPSS Evaluated
2026-06-10
NVD
CVE-2026-8350
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
concretecms concrete_cms to 9.5.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Concrete CMS versions 9.5.0 and below have a vulnerability in the bulk_user_assignment.php component where authorization checks are missing.

This flaw allows any authenticated user who can access the bulk user assignment dashboard page to escalate their privileges.

Specifically, such a user can add any user email to any group, including administrative groups, and can also remove legitimate administrators.

Impact Analysis

The vulnerability can lead to privilege escalation, allowing an attacker with basic authenticated access to gain administrative control.

This means unauthorized users could manipulate user group memberships, potentially removing legitimate admins and adding unauthorized users to privileged groups.

Such unauthorized administrative access can compromise the security and integrity of the CMS, leading to further exploitation or data breaches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8350. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart