Description
Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be configured in such a way that both public and private surveys are present on the site. An unauthenticated attacker can vote in the restricted survey by submitting the restricted optionID through the public survey’s endpoint. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks  Zer0daySec https://github.com/Zee99y  for reporting
Published: 2026-05-21
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS versions 9.5.0 and earlier contain an IDOR vulnerability that permits an unauthenticated attacker to cast votes in a private survey by submitting a restricted optionID through the public survey’s endpoint. This flaw arises from missing authorization checks on survey option submissions, as reflected in CWE‑565 and CWE‑639. The vulnerability can occur only when both public and private surveys coexist on the same site. The impact is on survey results integrity and privacy, but the CVE description does not indicate that other system data or lateral movement are affected.

Affected Systems

Any Concrete CMS site running version 9.5.0 or earlier that hosts both public and private surveys simultaneously is affected. The issue is confined to the survey functionality; other components of Concrete CMS are not impacted.

Risk and Exploitability

The CVSS v4.0 score of 6.3 indicates moderate severity. No EPSS score is available, so current exploitation likelihood cannot be quantified; the lack of a KEV listing suggests it is not a known exploited vulnerability. The attack vector is network‑based and unauthenticated, with low complexity and no required privileges, meaning an attacker can easily exploit the flaw when both public and private surveys coexist. The impact is limited to survey results integrity and privacy, potentially undermining trust and decision‑making. While the risk is moderate, organizations should patch promptly.

Generated by OpenCVE AI on May 21, 2026 at 23:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Concrete CMS version newer than 9.5.0, verifying the vendor’s release notes that address the IDOR flaw
  • Ensure the survey API enforces proper authorization checks on optionID submissions so that restricted options cannot be posted via the public endpoint
  • If an immediate upgrade is not possible, disable or remove private surveys from sites that also host public surveys, or restrict anonymous voting on public surveys to prevent this exploitation

Generated by OpenCVE AI on May 21, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Fri, 22 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be configured in such a way that both public and private surveys are present on the site. An unauthenticated attacker can vote in the restricted survey by submitting the restricted optionID through the public survey’s endpoint. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks  Zer0daySec https://github.com/Zee99y  for reporting
Title Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys when sites are running concurrent public surveys and private surveys
Weaknesses CWE-565
CWE-639
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-22T13:13:57.212Z

Reserved: 2026-05-11T15:59:55.797Z

Link: CVE-2026-8337

cve-icon Vulnrichment

Updated: 2026-05-22T13:13:53.952Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-21T22:16:50.497

Modified: 2026-05-26T17:13:07.190

Link: CVE-2026-8337

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T23:30:22Z

Weaknesses
  • CWE-565

    Reliance on Cookies without Validation and Integrity Checking

  • CWE-639

    Authorization Bypass Through User-Controlled Key