216.73.217.172

CVE-2026-7887

· Published 21/05/2026 22:16 · Modified 21/05/2026 22:16

Labels: CVE-2026-7887 2026-05-21CVE-2026-7887CWE-1287ff5b8ace-8b95-4078-9743-eac1ca5451de

Essential information

Published
21/05/2026 22:16
Modified
21/05/2026 22:16
Author
Creator
CVSS
2.3 LOW (v3) 2.3 LOW (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 (suspended, banned, terminated employee) can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N. Thanks 0x4c616e for reporting.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
ff5b8ace-8b95-4078-9743-eac1ca5451de
NVD
View on NVD

Affected products (CPE)

ProductCPE
concrete / concrete cms cpe:2.3:a:concrete:concrete_cms:9.5.0:*:*:*:*:*:*:*
concrete / concrete cms cpe:2.3:a:concrete:concrete_cms:*:*:*:*:*:*:*:*

References