PT-2026-42557 · Unknown · Concrete Cms
0X4C616E
·
Published
2026-05-21
·
Updated
2026-05-22
·
CVE-2026-7887
CVSS v4.0
2.3
Low
| Vector | AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N |
Name of the Vulnerable Software and Affected Versions
Concrete CMS versions prior to 9.5.1
Description
The OAuth 2.0 Authorization-Code Handler fails to verify account status. This allows users who are suspended, banned, or terminated employees, specifically those with the
uIsActive variable set to 0, to successfully authenticate via OAuth and obtain valid API tokens.Recommendations
Update to a version newer than 9.5.0.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Concrete Cms