CVE-2026-8347 Overview
CVE-2026-8347 is an Insecure Direct Object Reference (IDOR) vulnerability combined with an incorrect authorization check in Concrete CMS versions 9.5.0 and below. The flaw exists in the Express association Reorder dialog, where users with view-only permission on a single entry can tamper with the ordering state of other entities. The issue affects sites that use the Express feature and rely on entity ordering. The Concrete CMS security team credited Winston Crooker for reporting the vulnerability. The flaw is tracked under [CWE-639] (Authorization Bypass Through User-Controlled Key).
Critical Impact
Authenticated users with view-only permission on one Express entry can perform cross-entity state tampering by manipulating ordering, bypassing the intended authorization model.
Affected Products
- Concrete CMS 9.5.0 and below
- Sites using the Express feature
- Deployments relying on Express entity ordering
Discovery Timeline
- Vulnerability reported by Winston Crooker
- 2026-05-22 - CVE-2026-8347 published to NVD
- 2026-05-22 - Last updated in NVD database
Technical Details for CVE-2026-8347
Vulnerability Analysis
The vulnerability resides in the Express association Reorder dialog within Concrete CMS. Express is the content modeling system that allows administrators to define custom entities and relationships between them. The Reorder dialog is intended to let authorized users adjust the display order of associated entries.
The flaw combines two distinct issues. First, the Reorder operation uses direct object references without verifying that the supplied identifier belongs to a resource the caller is authorized to modify. Second, the authorization check applied to the operation enforces an insufficient permission level, accepting view-only access where modify or reorder permission should be required. Together, these defects allow a low-privilege user holding read access on a single Express entry to alter ordering state across other entities.
The impact is limited to integrity of ordering metadata. Confidentiality and availability are not affected, and the attack does not yield arbitrary data disclosure or code execution.
Root Cause
The root cause is improper enforcement of object-level and operation-level authorization in the Reorder handler. The handler trusts client-supplied entity identifiers and validates the caller against the wrong permission scope. This is a textbook [CWE-639] pattern where the access control decision relies on a user-controlled key without re-validating ownership and required privilege.
Attack Vector
An authenticated attacker with view-only permission on one Express entry sends a crafted request to the Reorder dialog endpoint. By substituting identifiers referencing entries belonging to other entities, the attacker causes the server to apply reordering operations outside the boundary of their granted permission. Exploitation requires network access to the application and valid low-privilege credentials. No user interaction is needed. Verified exploit code is not publicly available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
No verified proof-of-concept code is published for this issue. Refer to the ConcreteCMS 9.x Release Notes for vendor-supplied details.
Detection Methods for CVE-2026-8347
Indicators of Compromise
- Unexpected changes to Express entity ordering performed by accounts that hold only view permissions
- Audit log entries showing Reorder dialog requests from users without explicit edit rights on the targeted entity
- HTTP requests to Express reorder endpoints carrying entity identifiers outside the caller's assigned scope
Detection Strategies
- Review application audit logs for reorder actions correlated against the actor's effective permission set
- Enable verbose logging on Express association endpoints to capture entity identifiers and the authenticated principal
- Compare current Express ordering snapshots against known-good baselines to identify unauthorized mutations
Monitoring Recommendations
- Forward Concrete CMS application logs to a centralized log platform for correlation and retention
- Alert on reorder operations performed by accounts whose role assignments do not include edit privileges on the affected entity
- Track HTTP 200 responses to Express reorder routes initiated by low-privilege session tokens
How to Mitigate CVE-2026-8347
Immediate Actions Required
- Upgrade Concrete CMS to version 9.5.1 or later, which addresses the IDOR and authorization defects in the Express Reorder dialog
- Audit existing Express permission assignments and remove view-only grants that are not strictly required
- Review historical reorder activity to confirm no unauthorized ordering changes occurred prior to patching
Patch Information
Concrete CMS resolved this vulnerability in the 9.5.1 release. Administrators should consult the ConcreteCMS 9.x Release Notes for upgrade guidance and apply the update following the vendor's recommended procedure.
Workarounds
- Restrict access to the Express dashboard and association management features to trusted administrators until the patch is applied
- Disable or limit use of Express entity ordering on production sites where the feature is not required
- Place the Concrete CMS administrative area behind network-level access controls or a web application firewall to reduce exposure of low-privilege accounts
# Configuration example - upgrade via Composer
composer require concretecms/concretecms:^9.5.1
php concrete/bin/concrete5 c5:update
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
