CVE-2026-8327

Vulnerability

Description

CVE-2026-8327 is a Medium-severity vulnerability in Concrete CMS affecting versions below 9.5.0. The root cause lies in the user-profile edit controller, which passes the entire raw POST array directly to the UserInfo::update() method without field whitelisting. This oversight allows an authenticated attacker to modify sensitive user fields, notably the password, without requiring the current password for reauthorization.

Exploitation

An attacker with a valid registered user account can exploit this by crafting a POST request to the user-profile edit endpoint that includes arbitrary fields not normally editable through the UI. The lack of input validation means the attacker can set the password to a value of their choice. Additionally, the same vulnerability enables them to disable the per-user-IP-pinning setting in the session validator, which is a security feature designed to detect session hijacking. The attack requires low privileges and no user interaction, with a CVSS v4.0 score of 5.3 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N) [1].

Impact

Successful exploitation gives the attacker the ability to change their own or potentially other users' passwords (depending on the controller's scope) and to weaken session security by disabling IP-pinning. This could facilitate account takeover or session hijacking, compromising the integrity of user accounts. The vulnerability does not affect confidentiality or availability directly, but the integrity impact is classified as low [1].

Mitigation

Concrete CMS has addressed this vulnerability in version 9.5.1. The official release notes highlight behavioral improvements and bug fixes but do not explicitly mention this CVE; however, the advisory indicates the fix is included in the 9.5.1 update. Users are strongly advised to upgrade to Concrete CMS 9.5.1 or later. No workarounds are documented for unpatched versions [1].