CVE-2026-7887
For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status
Published: 2026-05-21 · Last updated: 2026-05-21
Severity and scoring
- CWE
- CWE-1287
Description
For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 (suspended, banned, terminated employee) can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N. Thanks 0x4c616e for reporting.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-10825 — A denial-of-service vulnerability exists in the WebSocket API due to insufficient validation and handling of JSON-based requests
- CVE-2026-9753 — The $_internalApplyOplogUpdate aggregation pipeline stage can be used to execute a document diff containing a malformed binary diff to re... (8.1 HIGH)
- CVE-2026-9742 — When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" ... (7.5 HIGH)
- CVE-2026-11460 — A flaw has been found in Boost Serialization up to 1.91 (7.3 HIGH)
- CVE-2024-6858 — In Arista’s EOS when in 802.1X mode, multi-auth unauthenticated hosts might be allowed access to a switch port if there exists an EAPOL c... (6.5 MEDIUM)