PatchSiren cyber security CVE debrief
CVE-2026-7887 Concrete CMS CVE debrief
CVE-2026-7887 affects Concrete CMS 9.5.0 and below. In the OAuth 2.0 authorization-code flow, the handler may bypass account-status enforcement, allowing a user with uIsActive=0 such as a suspended, banned, or terminated account to authenticate and receive valid API tokens. The issue is scored CVSS v4.0 2.3 (LOW) by the Concrete CMS security team, but it still undermines account revocation and access-control expectations.
- Vendor
- Concrete CMS
- Product
- Unknown
- CVSS
- LOW 2.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Security and platform teams running Concrete CMS with OAuth-based authentication, especially where suspended or offboarded accounts should be blocked immediately. Identity, application, and API administrators should also care if API tokens are issued through the same login path.
Technical summary
The vulnerability is an authentication/authorization-control failure in the OAuth 2.0 authorization-code handler. According to the supplied CVE description, the handler does not properly honor the uIsActive=0 account state, so a disabled user can complete OAuth login and obtain valid API tokens. NVD associates the record with CWE-1287 and reports the vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N.
Defensive priority
Prioritize as a low-severity but real access-control defect: fix promptly if OAuth login is enabled and account deactivation is part of your security or HR offboarding process. The main risk is continued authenticated access for accounts that were expected to be revoked.
Recommended defensive actions
- Review whether your Concrete CMS deployment uses OAuth 2.0 authorization-code login for user authentication or API token issuance.
- Apply the vendor remediation referenced in the Concrete CMS 9.5.1 release notes page and move off affected versions at 9.5.0 and below.
- Audit for accounts with uIsActive=0 that may still have recently obtained OAuth sessions or API tokens.
- Invalidate or rotate tokens for suspended, banned, or terminated users if your environment cannot immediately patch.
- Verify that account-status checks are enforced in your identity lifecycle and offboarding workflows.
- Monitor authentication logs for OAuth successes involving accounts that should be disabled.
Evidence notes
This debrief is based only on the supplied official sources: the NVD CVE record, the CVE.org record, and the referenced Concrete CMS release-notes URL. The CVE description states the affected scope (Concrete CMS 9.5.0 and below), the bypass condition (uIsActive=0), and the outcome (valid API tokens). The supplied NVD metadata also lists CWE-1287 and the CVSS v4.0 vector. The vendor attribution is low confidence in the source corpus, so the product name is treated as Concrete CMS based on the CVE description and official Concrete CMS reference link.
Official resources
-
CVE-2026-7887 CVE record
CVE.org
-
CVE-2026-7887 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
ff5b8ace-8b95-4078-9743-eac1ca5451de
CVE-2026-7887 was published and last modified on 2026-05-21T22:16:49.270Z. No KEV entry is present in the supplied data. The report credits 0x4c616e.