Primary

Context

Concrete CMS OAuth 2.0 Authorization-Code Handler Account Status Bypass Vulnerability

Vulnerability

Patched

A vulnerability exists in Concrete CMS versions 9.5.0 and earlier, where the OAuth 2.0 Authorization-Code Handler bypasses account status checks. Users with a status of 'inactive' (suspended, banned, or terminated) can still authenticate via OAuth and receive valid API tokens. This flaw could potentially be exploited to access restricted resources or perform actions on behalf of the user.

Impact

Exploitation of this vulnerability allows inactive users to authenticate via OAuth, bypassing account status restrictions and potentially leading to unauthorized access or actions within the application.

Remediation

Users can upgrade to Concrete CMS version 9.5.1 or later, where this vulnerability has been fixed.

Added: May 21, 2026, 10:40 PM

Updated: May 21, 2026, 10:40 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.3

exploitability

6.4

remediation

7.7

relevance

8.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.3

exploitability

6.4

remediation

7.7

relevance

8.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Concrete CMS OAuth 2.0 Authorization-Code Handler Account Status Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Concrete CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating