CVE-2026-8327

UNKNOWN 0.0

Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass.

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller passes the entire raw POST array to UserInfo::update() without field whitelisting resulting in password change without requiring the current password and also resulting in registered users able to disable the per-user-IP-pinning in the session validator which is meant to detect hijacking. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 5.3 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks 0x4c616e for reporting.

CWE	CWE-915 CWE-620 CWE-269
Vendor	concrete cms
Product	concrete cms
Published	May 21, 2026
Last Updated	May 22, 2026

Stay Ahead of the Next One

Get instant alerts for concrete cms concrete cms

Be the first to know when new unknown vulnerabilities affecting concrete cms concrete cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Concrete CMS / Concrete CMS

5 ≤ 9.5.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

documentation.concretecms.org: https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes

Credits

0x4c616e