Skip to main content

Concrete CMS CVE-2026-8204

| EUVDEUVD-2026-31348 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-21 ff5b8ace-8b95-4078-9743-eac1ca5451de GHSA-x2fp-hj8c-mmxh
6.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 21, 2026 - 21:39 vuln.today

DescriptionCVE.org

Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot point to access private calendar data. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.

AnalysisAI

Cross-calendar data disclosure in Concrete CMS 9.5.0 and below exposes private calendar event data to unauthenticated remote attackers via an authorization bypass (CWE-639) in the Calendar Event Frontend Dialog. A publicly accessible calendar block serves as a required pivot point, allowing attackers to reference and retrieve event data from private calendars within the same installation. No public exploit has been identified at time of analysis; the vendor assigned a CVSS 4.0 score of 6.3, reflecting constrained confidentiality impact and a prerequisite attack condition (AT:P).

Technical ContextAI

The vulnerability resides in Concrete CMS's Calendar module, specifically the Frontend Dialog component responsible for rendering calendar event details to site visitors. CWE-639 (Authorization Bypass Through User-Controlled Key) identifies the root cause as an insecure direct object reference (IDOR) pattern: the dialog likely accepts a user-supplied identifier - such as an event ID or calendar ID - without verifying that the requesting party holds authorization to access the referenced calendar's data. The CVSS 4.0 vector element AT:P (Attack Requirements: Present) confirms that a specific precondition must exist in the target environment, namely a deployed and publicly accessible calendar block, before exploitation is feasible. No CPE strings were supplied in the source intelligence, but the affected scope is Concrete CMS version 9.5.0 and all prior releases in the 9.x branch. The vendor reference URL points to the 9.5.1 release notes, indicating the authorization check was introduced or corrected in that release.

RemediationAI

Upgrade to Concrete CMS 9.5.1 or later, as indicated by the vendor release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes; this is the fix version inferred from the provided reference, though it has not been independently verified against a separate published security advisory. If immediate patching is not feasible, administrators should assess whether any public calendar blocks are deployed in installations that also host private calendars - removing or disabling all public-facing calendar blocks eliminates the AT:P precondition entirely and fully mitigates exploitation risk, at the cost of removing legitimate public calendar functionality for site visitors. Restricting HTTP access to calendar frontend dialog endpoints via a WAF or reverse-proxy rule targeting calendar API paths may reduce exposure but is not a confirmed standalone compensating control given the lack of endpoint detail in available data. No generic network-level mitigations such as firewall rules are applicable given that the attack vector is standard web traffic.

CVE-2021-22968 HIGH POC
7.2 Nov 19

A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co

CVE-2021-36766 HIGH POC
7.2 Jul 30

Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl

CVE-2020-24986 HIGH POC
7.2 Sep 04

Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File

CVE-2020-11476 HIGH POC
7.2 Jul 28

Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity

CVE-2018-13790 HIGH POC
7.2 Jul 09

A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-2994 MEDIUM POC
6.8 Mar 04

Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co

CVE-2017-8082 MEDIUM POC
6.5 Apr 24

concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in

CVE-2023-48648 CRITICAL
9.8 Nov 17

Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec

CVE-2022-21829 CRITICAL
9.8 Jun 24

Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho

CVE-2021-22958 CRITICAL
9.8 Oct 07

A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad

CVE-2021-40098 CRITICAL
9.8 Sep 27

An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel

Share

CVE-2026-8204 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy