Privilege Escalation Vulnerability in Concrete CMS by Concrete
CVE-2026-8350

7.5HIGH

Key Information:

Vendor: Concrete Cms
Status: Concrete Cms
Vendor: CVE Published:; 21 May 2026

🔔 Create Concrete Cms Vulnerability Alert

What is CVE-2026-8350?

Concrete CMS versions 9.5.0 and earlier are susceptible to a security issue where missing authorization in the bulk user assignment functionality allows authenticated users to evade restrictions. These users can manipulate group memberships, including adding arbitrary email addresses to any group or removing authorized administrators. This weakness poses serious risks to the integrity of user permissions and can potentially lead to administrative access being compromised.

Affected Version(s)

Concrete CMS 5.0 <= 9.5.0

References

https://documentation.concretecms.org/9-x/developers/intr...

release-notes

CVSS V4

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 21, 2026
Vulnerability Reserved
May 11, 2026

Credit

Vincent55

CVE-2026-8350 Data

JSON