Description
Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog.  This can cause Cross-entity state tampering with view-only permission on one entry. To be affected, a website has to be using express and relying on express entity ordering. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.
Published: 2026-05-22
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS versions 9.5.0 and earlier contain an IDOR and incorrect authorization check in the Express association Reorder dialog. An authenticated user with only view permissions on an entry can access the reorder interface and modify the order of entities, thereby altering state across entries that the user should not control. This flaw permits cross-entity state tampering without granting full administrative rights.

Affected Systems

The vulnerability affects installations of Concrete CMS 9.5.0 and any lower patch level that use the Express feature for entity ordering. Sites that enable Express association ordering and expose the reorder dialog are susceptible. Other Concrete CMS versions or configurations not relying on Express ordering are not affected.

Risk and Exploitability

The CVSS v4.0 score of 2.3 indicates low severity, aligned with privileges needed and impact. No EPSS data is available, but the lack of entry in the KEV catalog suggests limited exploitation activity. Exploit is limited to the web interface, requiring authentication; therefore the attack would be of network type via the Express reorder URL. Because the flaw only grants state‑modification privileges, the risk to confidentiality or availability is minimal, but integrity of entities could be damaged.

Generated by OpenCVE AI on May 22, 2026 at 15:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest Concrete CMS release that removes the flawed Express reorder logic (current releases >9.5.0).
  • If upgrading immediately is not possible, revoke reorder access for users with only view permissions; configure the CMS to restrict the Express reorder dialog to users with edit rights.
  • Disable or remove the Express association ordering feature if it is not required for the site’s workflow.
  • Monitor user activity logs for unexpected reorder actions and set alerts on unauthorized modifications.

Generated by OpenCVE AI on May 22, 2026 at 15:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Fri, 22 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog.  This can cause Cross-entity state tampering with view-only permission on one entry. To be affected, a website has to be using express and relying on express entity ordering. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.
Title Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in Express association Reorder dialog
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-22T17:21:46.546Z

Reserved: 2026-05-11T16:28:20.551Z

Link: CVE-2026-8347

cve-icon Vulnrichment

Updated: 2026-05-22T17:19:36.427Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T15:45:16Z

Weaknesses