Home

Description

Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be configured in such a way that both public and private surveys are present on the site. An unauthenticated attacker can vote in the restricted survey by submitting the restricted optionID through the public survey’s endpoint. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Zer0daySec https://github.com/Zee99y for reporting

PUBLISHED Reserved 2026-05-11 | Published 2026-05-21 | Updated 2026-05-22 | Assigner ConcreteCMS




MEDIUM: 6.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-639 Authorization bypass through User-Controlled key

CWE-565 Reliance on cookies without validation and integrity checking

Product status

Default status
unaffected

5.0 (git)
affected

Credits

Zer0daySec (GitHub: https://github.com/Zee99y) finder

References

documentation.concretecms.org/...n-history/951-release-notes release-notes

cve.org (CVE-2026-8337)

nvd.nist.gov (CVE-2026-8337)

Download JSON