CVE-2026-8350

Vulnerability

Details

The vulnerability resides in bulk_user_assignment.php within Concrete CMS versions 9.5.0 and below. The file fails to enforce proper authorization checks, allowing any authenticated user with access to the bulk user assignment dashboard page to manipulate group memberships. This includes adding any user (including themselves) to any group, as well as removing existing members from groups. The issue is a missing authorization vulnerability, not an authentication bypass.

Exploitation

An attacker must have a valid account on the Concrete CMS instance and have permission to access the bulk user assignment page. This page is often granted to users with limited administrative roles or custom permissions. No further privileges are required; once on the page, the attacker can input any valid email address of an existing user and assign them to any group, including the Administrative group. The attacker can also remove legitimate administrators, effectively taking over the site.

Impact

Successful exploitation leads to privilege escalation to the Administrative group. An attacker can add their own account to the admin group, then perform any administrative action, such as modifying site content, installing malicious add-ons, or exfiltrating data. The removal of existing admins further entrenches the attacker's control. The CVSS v4.0 score is 7.5 (High), reflecting the high impact on confidentiality, integrity, and availability.

Mitigation

The Concrete CMS security team released version 9.5.1, which addresses this vulnerability by adding proper authorization checks to the bulk user assignment functionality [1]. Users are strongly advised to upgrade to 9.5.1 or later. If upgrade is not immediately possible, access to the bulk user assignment page should be restricted to only trusted administrators.