CVE-2026-8337 PUBLISHED

Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys when sites are running concurrent public surveys and private surveys

Assigner: ConcreteCMS
Reserved: 11.05.2026 Published: 21.05.2026 Updated: 22.05.2026

Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be configured in such a way that both public and private surveys are present on the site. An unauthenticated attacker can vote in the restricted survey by submitting the restricted optionID through the public survey’s endpoint. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Zer0daySec https://github.com/Zee99y for reporting

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 6.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	Low	Integrity	None
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Concrete CMS
Product	Concrete CMS
Versions	Default: unaffected affected from 5.0 to 9.5.0 (incl.)

Credits

Zer0daySec (GitHub: https://github.com/Zee99y) finder

References

https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes

Problem Types

CWE-639 Authorization bypass through User-Controlled key CWE
CWE-565 Reliance on cookies without validation and integrity checking CWE

Impacts

CAPEC-31 Accessing/Intercepting/Modifying HTTP Cookies
CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs