HIGH

GHSA-g7xp-jf3x-wcx4

Concrete CMS is vulnerable to missing authorization in the bulk_user_assignment.php

Details

Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access to the bulk user assignment dashboard page can add any user email to any group and can remove legitimate admins. The Concrete CMS security team thanks Vincent55 for reporting this issue.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / concrete5/concrete5

Introduced in: 0 Fixed in: 9.5.1

Fix composer require concrete5/concrete5:^9.5.1

References

https://nvd.nist.gov/vuln/detail/CVE-2026-8350 [ADVISORY]
https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes [WEB]
https://github.com/concretecms/concretecms [PACKAGE]