Vulnerability Description
Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access to the bulk user assignment dashboard page can add any user email to any group and can remove legitimate admins. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks Vincent55 for reporting.
Related Weaknesses (CWE)
References
FAQ
What is CVE-2026-8350?
CVE-2026-8350 is a documented vulnerability. Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access t...
How severe is CVE-2026-8350?
CVSS scoring is not yet available for CVE-2026-8350. Check NVD for updates.
Is there a patch for CVE-2026-8350?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.