CVE-2026-8350
HighSummary
Concrete CMS versions 9.5.0 and below are vulnerable to missing authorization in bulk_user_assignment.php, which can lead to privilege escalation to the Administrative Group. Any authenticated user with access to the bulk user assignment dashboard can add any user email to any group and can remove legitimate admins.
Risk Assessment
This vulnerability poses a risk that unauthorized users may gain administrative privileges, potentially leading to serious security breaches within the organization.
Recommendation
It is recommended to update Concrete CMS to the latest version to mitigate this vulnerability and to restrict access to the user assignment dashboard only to trusted administrators.
Original NVD description (English source)
Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access to the bulk user assignment dashboard page can add any user email to any group and can remove legitimate admins. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks Vincent55 for reporting.

