QSearchQSearch

CVE-2026-7887

For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status

Published: 2026-05-21 · Last updated: 2026-05-21

Severity and scoring

CWE
CWE-1287

Description

For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 (suspended, banned, terminated employee) can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N. Thanks 0x4c616e for reporting.

Source: NVD

References

Related CVEs

Same CWE

  • CVE-2026-10825 A denial-of-service vulnerability exists in the WebSocket API due to insufficient validation and handling of JSON-based requests
  • CVE-2026-9753 The $_internalApplyOplogUpdate aggregation pipeline stage can be used to execute a document diff containing a malformed binary diff to re... (8.1 HIGH)
  • CVE-2026-9742 When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" ... (7.5 HIGH)
  • CVE-2026-11460 A flaw has been found in Boost Serialization up to 1.91 (7.3 HIGH)
  • CVE-2024-6858 In Arista’s EOS when in 802.1X mode, multi-auth unauthenticated hosts might be allowed access to a switch port if there exists an EAPOL c... (6.5 MEDIUM)