Description
For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 (suspended, banned, terminated employee) can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N. Thanks 0x4c616e for reporting.
Published: 2026-05-21
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This weakness allows an account that has been disabled—indicated by the flag uIsActive=0—to authenticate via the OAuth 2.0 Authorization‑Code flow. The legitimate user obtains a valid API token and can subsequently access resources that would normally be restricted to active users. The vulnerability does not provide remote code execution or system compromise; rather, it undermines the integrity of the user‑account enforcement mechanism.

Affected Systems

Concrete CMS versions 9.5.0 and all earlier releases are affected. The issue resides in the OAuth 2.0 Authorization‑CodeHandler of the Concrete CMS platform.

Risk and Exploitability

The CVSS v4.0 score of 2.3 indicates a low severity. No exploits are known and it is not listed in the CISA KEV catalog, which suggests a modest likelihood of real‑world exploitation. Attackers would need valid OAuth credentials; the vulnerability does not expose additional privileged information. Nevertheless, the ability to obtain active API tokens for suspended, banned, or terminated accounts compromises the intended access control model and could lead to misuse of privileged API functions.

Generated by OpenCVE AI on May 21, 2026 at 23:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any Concrete CMS patch that addresses the CWE-1287 account‑status bypass in the OAuth 2.0 Authorization‑Code handler.
  • If a patch is not yet available, implement a check for uIsActive=0 within the OAuth token issuance logic to reject unauthorized accounts, thereby mitigating the CWE‑1287 vulnerability.
  • Review API endpoints to ensure they verify the active status of users before granting privileged operations, mitigating the risk associated with CWE‑1287.

Generated by OpenCVE AI on May 21, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 (suspended, banned, terminated employee) can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N. Thanks 0x4c616e for reporting.
Title For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status
Weaknesses CWE-1287
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-21T21:20:13.037Z

Reserved: 2026-05-05T20:22:40.962Z

Link: CVE-2026-7887

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T22:16:49.270

Modified: 2026-05-21T22:16:49.270

Link: CVE-2026-7887

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T23:30:22Z

Weaknesses