Description
Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access to the bulk user assignment dashboard page can add any user email to any group and can remove legitimate admins. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks Vincent55 for reporting.
Published: 2026-05-21
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS version 9.5.0 and earlier expose a missing authorization check in bulk_user_assignment.php. The flaw allows any authenticated user who can reach the bulk user assignment dashboard to add arbitrary email addresses to any group or remove administrators from groups. This results in a privilege escalation that can grant ordinary users full administrative rights. The vulnerability maps to CWE‑863.

Affected Systems

The affected product is Concrete CMS. Versions 9.5.0 and all prior releases experience the issue. The vulnerability is present in the core installation of Concrete CMS and does not depend on additional configuration flags beyond the presence of the bulk_user_assignment.php script.

Risk and Exploitability

The CVSS v4.0 score of 7.5 indicates a high severity vulnerability. The attack vector is network-based (AV:N) and requires an authenticated local user, which many installations may have due to wide password reuse or weak authentication practices. Because the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, current exploitation risk is uncertain but the high CVSS and the fact that any authenticated user can elevate privileges suggest a medium-to‑high probability of real-world impact. Administrators should treat this as a serious risk until a patch is applied.

Generated by OpenCVE AI on May 21, 2026 at 22:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Concrete CMS to a release newer than 9.5.0.
  • Configure the application so that only users assigned to the administrative role can access the bulk user assignment dashboard.
  • Regularly review audit logs for unauthorized group changes and investigate any suspicious activity.

Generated by OpenCVE AI on May 21, 2026 at 22:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access to the bulk user assignment dashboard page can add any user email to any group and can remove legitimate admins. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks Vincent55 for reporting.
Title Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-21T20:28:03.032Z

Reserved: 2026-05-11T16:40:39.812Z

Link: CVE-2026-8350

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T21:16:33.773

Modified: 2026-05-21T21:16:33.773

Link: CVE-2026-8350

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T22:45:21Z

Weaknesses