IDOR Vulnerability in Concrete CMS by Concrete5
CVE-2026-8347

2.3LOW

Key Information:

Vendor: Concrete Cms
Status: Concrete Cms
Vendor: CVE Published:; 22 May 2026

🔔 Create Concrete Cms Vulnerability Alert

What is CVE-2026-8347?

A vulnerability in Concrete CMS versions 9.5.0 and earlier allows an attacker to exploit IDOR (Insecure Direct Object Reference) and incorrect authorization levels in the Express association Reorder dialog. This could enable a malicious user to manipulate state across entities with view-only permissions for specific entries. For a site to be vulnerable, it must utilize the express feature and depend on express entity ordering. The submission of this vulnerability was made by Winston Crooker.

Affected Version(s)

Concrete CMS 5.0 <= 9.5.0

References

https://documentation.concretecms.org/9-x/developers/intr...

release-notes

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2026
Vulnerability Reserved
May 11, 2026

Credit

Winston Crooker

CVE-2026-8347 Data

JSON