CVE-2026-8350
Privilege Escalation in Concrete CMS via Missing Authorization
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: ConcreteCMS
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| concrete_cms | concrete_cms | to 9.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
Concrete CMS versions 9.5.0 and below have a vulnerability in the bulk_user_assignment.php component where authorization checks are missing.
This flaw allows any authenticated user who can access the bulk user assignment dashboard page to escalate their privileges.
Specifically, such a user can add any user email to any group, including administrative groups, and can also remove legitimate administrators.
How can this vulnerability impact me? :
The vulnerability can lead to privilege escalation, allowing an attacker with basic authenticated access to gain administrative control.
This means unauthorized users could manipulate user group memberships, potentially removing legitimate admins and adding unauthorized users to privileged groups.
Such unauthorized administrative access can compromise the security and integrity of the CMS, leading to further exploitation or data breaches.