Skip to main content

Concrete CMS CVE-2026-8337

| EUVDEUVD-2026-31359 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-21 ConcreteCMS GHSA-8c7c-h7px-267g
6.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 21, 2026 - 22:45 vuln.today

DescriptionCVE.org

Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be configured in such a way that both public and private surveys are present on the site. An unauthenticated attacker can vote in the restricted survey by submitting the restricted optionID through the public survey’s endpoint. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks  Zer0daySec https://github.com/Zee99y  for reporting

AnalysisAI

Insecure Direct Object Reference (IDOR) in Concrete CMS versions up to and including 9.5.0 enables unauthenticated remote attackers to cast fraudulent votes in restricted private surveys by submitting a private survey's optionID through the publicly accessible voting endpoint. The vulnerability is configuration-dependent - exploitation requires the target site to simultaneously host both public and private surveys - which the CVSS v4.0 vector encodes as AT:P (Attack Requirements: Present), moderately lowering the practical risk surface compared to a universally exploitable flaw. No public exploit code or active exploitation has been identified at time of analysis. Impact is limited to integrity: survey result manipulation with no confidentiality or availability consequence.

Technical ContextAI

Concrete CMS is a PHP-based content management system (CPE: cpe:2.3:a:concrete_cms:concrete_cms:*:*:*:*:*:*:*:*). The vulnerability is classified as CWE-639: Authorization Bypass Through User-Controlled Key - a subclass of IDOR where the application uses a caller-supplied identifier (here, an optionID representing a survey choice) to retrieve or act on a data object without verifying that the caller is authorized to access that specific object. The survey module exposes a public endpoint for submitting votes, but fails to validate that the submitted optionID belongs to the survey associated with that endpoint. Because optionIDs for both public and private surveys share the same namespace or are otherwise reachable, an attacker can cross-reference objects across access boundaries. The CVSS v4.0 score of 6.3 (Medium) reflects network delivery, low complexity once prerequisites are met, no required privileges, but constrained impact (VI:L only) and the prerequisite of a mixed public/private survey deployment.

RemediationAI

The primary remediation is upgrading to Concrete CMS 9.5.1, as indicated by the vendor release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes. Organizations unable to patch immediately should audit their site configuration and temporarily remove or unpublish private surveys until the upgrade is applied - eliminating the mixed public/private survey configuration removes the exploitable condition entirely as encoded in AT:P. There is no indication of a WAF rule or network-layer control that would reliably mitigate an IDOR of this type, since the attack uses a legitimate, accessible endpoint with a manipulated parameter. Restricting public access to the survey voting endpoint would break legitimate public survey functionality and is not recommended as a long-term workaround.

CVE-2021-22968 HIGH POC
7.2 Nov 19

A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co

CVE-2021-36766 HIGH POC
7.2 Jul 30

Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl

CVE-2020-24986 HIGH POC
7.2 Sep 04

Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File

CVE-2020-11476 HIGH POC
7.2 Jul 28

Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity

CVE-2018-13790 HIGH POC
7.2 Jul 09

A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-2994 MEDIUM POC
6.8 Mar 04

Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co

CVE-2017-8082 MEDIUM POC
6.5 Apr 24

concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in

CVE-2023-48648 CRITICAL
9.8 Nov 17

Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec

CVE-2022-21829 CRITICAL
9.8 Jun 24

Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho

CVE-2021-22958 CRITICAL
9.8 Oct 07

A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad

CVE-2021-40098 CRITICAL
9.8 Sep 27

An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel

Share

CVE-2026-8337 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy