Low severityNVD Advisory· Published May 21, 2026

CVE-2026-7887

Description

For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 (suspended, banned, terminated employee) can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N. Thanks 0x4c616e for reporting.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2026-7887 allows suspended users (uIsActive=0) to authenticate and get valid API tokens via OAuth 2.0 in Concrete CMS 9.5.0 and below.

Vulnerability

CVE-2026-7887 affects the OAuth 2.0 authorization-code handler in Concrete CMS 9.5.0 and earlier. The handler does not check whether the authenticating user's account is active (uIsActive=0). As a result, users whose accounts have been suspended, banned, or terminated can still complete the OAuth flow and receive valid API tokens.

Exploitation

An attacker who knows the credentials of a suspended user (or who can obtain them through other means) can authenticate via the OAuth 2.0 authorization-code grant type. No special network position is required beyond being able to reach the login endpoint. The CVSS vector indicates a low attacker complexity and no user interaction needed.

Impact

Upon successful authentication, the suspended user gains API tokens that inherit the permissions the account had prior to suspension. This could enable unauthorized access to Concrete CMS APIs with the privileges of that user (e.g., reading or modifying content). The CVSS v4.0 score is 2.3, reflecting low impact to confidentiality and integrity, with no impact on availability.

Mitigation

Concrete CMS released version 9.5.1, which fixes this issue by ensuring that the OAuth handler checks the account's active status before issuing tokens [1]. Users should upgrade to 9.5.1 or later. No workaround is documented.

References

9.5.1 Release Notes

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Packagist/Concrete5inferred
Range: <=9.5.0
Package: https://packagist.org/packages/concrete5/concrete5
Concrete5/Concretellm-fuzzy
Range: <=9.5.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notesnvd

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000