PatchSiren cyber security CVE debrief
CVE-2026-8350 Concrete CMS CVE debrief
CVE-2026-8350 is a high-severity authorization flaw in Concrete CMS 9.5.0 and below. The issue is in bulk_user_assignment.php, where an authenticated user with access to the bulk user assignment dashboard can add any user email to any group and remove legitimate admins, enabling privilege escalation to the Administrative Group. The vulnerability was published on 2026-05-21 and is rated CVSS 7.5 (HIGH) by the Concrete CMS security team.
- Vendor
- Concrete CMS
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Administrators and security teams running Concrete CMS 9.5.0 or earlier should treat this as a priority issue, especially if the bulk user assignment dashboard is exposed to authenticated users. Teams responsible for identity, role management, and administrative group membership should verify access controls and review recent group membership changes.
Technical summary
The weakness is a missing authorization check (CWE-863) in bulk_user_assignment.php. According to the supplied description, any authenticated user with access to the bulk user assignment dashboard can modify group membership for arbitrary user emails and can remove legitimate admins, creating a path to privilege escalation into the Administrative Group. NVD lists the issue with CVSS v4.0 vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N.
Defensive priority
High. This is an authorization bypass affecting administrative group integrity, so it should be remediated quickly after validation and exposure review.
Recommended defensive actions
- Review whether Concrete CMS is running at version 9.5.0 or earlier and prioritize remediation for exposed instances.
- Restrict access to the bulk user assignment dashboard to only strictly authorized administrators until a patched release is deployed.
- Audit current group memberships and recent administrative group changes for unauthorized additions or removals.
- Validate that server-side authorization checks are enforced for all bulk group assignment actions, not just UI-level controls.
- Monitor for unusual changes to admin or privileged group membership and investigate any unexpected removals of legitimate admins.
- Consult the vendor release notes and official advisory material linked from the CVE record before planning the upgrade path.
Evidence notes
All substantive facts in this brief come from the supplied CVE description and NVD metadata: Concrete CMS 9.5.0 and below are affected; the flaw is a missing authorization issue in bulk_user_assignment.php; any authenticated user with access to the dashboard can add users to groups and remove admins; the issue is mapped to CWE-863 and scored CVSS v4.0 7.5 HIGH. The source reference points to Concrete CMS release notes, but no remediation version is asserted here because it is not explicitly stated in the supplied corpus.
Official resources
-
CVE-2026-8350 CVE record
CVE.org
-
CVE-2026-8350 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
ff5b8ace-8b95-4078-9743-eac1ca5451de
The CVE was published on 2026-05-21. It was reported by Vincent55, and the Concrete CMS security team assigned CVSS v4.0 7.5 (HIGH). No KEV entry is indicated in the supplied data.