Skip to main content

Concrete CMS CVE-2026-8236

| EUVDEUVD-2026-31347 MEDIUM
Missing Authorization (CWE-862)
2026-05-21 ConcreteCMS GHSA-58c8-vvqw-cm7m
6.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 21, 2026 - 22:41 vuln.today

DescriptionCVE.org

Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate. The endpoint /ccm/system/dialogs/file/usage/{fID} accepts an integer file ID in the URL and returns internal site structure data (page IDs, versions, URL paths) to anyone who sends a GET request. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.

AnalysisAI

Unauthenticated information disclosure in Concrete CMS 9.5.0 and below allows any network-accessible attacker to enumerate internal site structure data - including page IDs, version numbers, and URL paths - by sending GET requests to the /ccm/system/dialogs/file/usage/{fID} endpoint without any credentials. The flaw combines CWE-862 (Missing Authorization) with a classic IDOR pattern on an integer file ID parameter, and is scored CVSS 4.0 at 6.3 (Medium) by the vendor with PR:N and AC:L, though the AT:P metric indicates that valid file IDs must exist for meaningful data to be returned. No public exploit code and no CISA KEV listing exist at time of analysis.

Technical ContextAI

The vulnerable endpoint /ccm/system/dialogs/file/usage/{fID} is part of Concrete CMS's administrative file management dialog subsystem, designed to show which site pages reference a given file asset. The root cause is CWE-862 (Missing Authorization): the endpoint lacks any session or capability check, allowing it to respond to unauthenticated GET requests. The fID parameter is an integer file ID - a textbook IDOR (Insecure Direct Object Reference) pattern where sequential or guessable IDs map directly to backend objects without access control enforcement. The response leaks internal CMS topology: page IDs, page version numbers, and URL paths that are ordinarily accessible only to authenticated editors. CPE cpe:2.3:a:concrete_cms:concrete_cms:*:*:*:*:*:*:*:* confirms the scope is the concrete_cms application across the 9.x branch through 9.5.0.

RemediationAI

The primary remediation is to upgrade to Concrete CMS 9.5.1, which resolves this vulnerability per the vendor release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes. If immediate upgrade is not feasible, a compensating control is to block unauthenticated external access to the URL path /ccm/system/dialogs/file/usage/ at the web server, reverse proxy, or WAF layer using a path-based deny rule. Be aware that this path is used by the CMS administrative file usage dialog and blocking it may break legitimate editor workflows - validate in a staging environment before production deployment. For installations already gated behind an authenticated reverse proxy or VPN for all CMS admin access, external exploitability is already prevented. No additional vendor-specified workarounds are documented in the available references.

CVE-2021-22968 HIGH POC
7.2 Nov 19

A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co

CVE-2021-36766 HIGH POC
7.2 Jul 30

Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl

CVE-2020-24986 HIGH POC
7.2 Sep 04

Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File

CVE-2020-11476 HIGH POC
7.2 Jul 28

Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity

CVE-2018-13790 HIGH POC
7.2 Jul 09

A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-2994 MEDIUM POC
6.8 Mar 04

Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co

CVE-2017-8082 MEDIUM POC
6.5 Apr 24

concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in

CVE-2023-48648 CRITICAL
9.8 Nov 17

Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec

CVE-2022-21829 CRITICAL
9.8 Jun 24

Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho

CVE-2021-22958 CRITICAL
9.8 Oct 07

A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad

CVE-2021-40098 CRITICAL
9.8 Sep 27

An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel

Share

CVE-2026-8236 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy