Concrete CMS 9.5.0 and below is vulnerable to missing authorization...

7.5 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access to the bulk user assignment dashboard page can add any user email to any group and can remove legitimate admins. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks Vincent55 for reporting.

Basic Information

ID CVE-2026-8350

Source ConcreteCMS

Published May 21, 2026 at 20:28

Affected Product

Vendor Concrete CMS

Product Concrete CMS

Version 5.0

Affected Versions Concrete CMS Concrete CMS 5.0

CWE Classification

CWE-863

References

documentation.concretecms.org /9-x/developers/introduction/version-history/951-release-notes

{
    "lastseen": "",
    "description": "Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation\u00a0to Administrative Group.\u00a0Any authenticated user with access to the bulk user assignment dashboard page can add any user email to any group and can remove legitimate admins.\u00a0The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector\u00a0CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks\u00a0Vincent55 for reporting.",
    "published": "2026-05-21T20:28:03.032Z",
    "modified": "2026-05-21T20:28:03.032Z",
    "type": "cve",
    "title": "Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group",
    "source": "ConcreteCMS",
    "references": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes",
    "id": "CVE-2026-8350",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "Concrete CMS Concrete CMS 5.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Concrete CMS",
    "version": "5.0",
    "vendor": "Concrete CMS",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group_CVE-2026-8350