Skip to main content

Concrete CMS CVE-2026-8237

| EUVDEUVD-2026-31352 MEDIUM
Missing Authorization (CWE-862)
2026-05-21 ConcreteCMS GHSA-xpgc-7vc2-8725
6.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 21, 2026 - 22:41 vuln.today

DescriptionCVE.org

Concrete CMS 9.5.0 and below is vulnerable to IDOR. The /ccm/frontend/conversations/message_detail endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and the moderation queue. File attachments with download URLs are also exposed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Eldudareeno for reporting.

AnalysisAI

Unauthenticated information disclosure in Concrete CMS 9.5.0 and earlier allows remote attackers to enumerate all conversation messages - including content from restricted pages, member-only areas, and the moderation queue - by exploiting a missing authorization check on the /ccm/frontend/conversations/message_detail endpoint. File attachment download URLs are also exposed, compounding the data leakage risk. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the attack requires no credentials and no user interaction, making bulk enumeration trivial once the conversations feature is confirmed active.

Technical ContextAI

The root cause is CWE-862 (Missing Authorization) in Concrete CMS's Conversations block, a page-level comment/discussion feature that supports access restrictions (member-only pages, moderation queues, and group-restricted content areas). The vulnerable endpoint /ccm/frontend/conversations/message_detail retrieves full message records by numeric ID but performs no authorization check to verify whether the requesting party has rights to view the parent page or conversation context. This is a classic IDOR pattern: object IDs are predictable/sequential, and the access control layer is entirely absent rather than merely bypassed. The CVSS 4.0 vector component AT:P (Attack Requirements: Present) signals that a precondition exists - the Conversations block must be deployed and contain messages - but no authentication is needed. CPE data (cpe:2.3:a:concrete_cms:concrete_cms:*:*:*:*:*:*:*:*) and EUVD-2026-31352 confirm the affected range spans versions 5.0 through 9.5.0.

RemediationAI

The primary remediation is upgrading to Concrete CMS 9.5.1, as indicated by the vendor release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes. Note that version 9.5.1 as the fix version is inferred from the reference URL and should be independently confirmed against the release notes before deployment. If immediate upgrade is not possible, the most effective compensating control is disabling the Conversations block across all pages, which eliminates the vulnerable endpoint's attack surface entirely at the cost of removing commenting functionality for site visitors. Alternatively, WAF or web server rules can restrict unauthenticated access to the /ccm/frontend/conversations/message_detail endpoint - note this may degrade conversation display for legitimate users if the endpoint is called client-side. For sites where conversations must remain active, removing sensitive or restricted content from conversation threads and moderation queues reduces the data-exposure impact until patching is complete. Rate-limiting requests to the conversations API at the edge can reduce enumeration throughput but does not prevent exploitation.

CVE-2021-22968 HIGH POC
7.2 Nov 19

A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co

CVE-2021-36766 HIGH POC
7.2 Jul 30

Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl

CVE-2020-24986 HIGH POC
7.2 Sep 04

Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File

CVE-2020-11476 HIGH POC
7.2 Jul 28

Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity

CVE-2018-13790 HIGH POC
7.2 Jul 09

A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-2994 MEDIUM POC
6.8 Mar 04

Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co

CVE-2017-8082 MEDIUM POC
6.5 Apr 24

concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in

CVE-2023-48648 CRITICAL
9.8 Nov 17

Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec

CVE-2022-21829 CRITICAL
9.8 Jun 24

Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho

CVE-2021-22958 CRITICAL
9.8 Oct 07

A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad

CVE-2021-40098 CRITICAL
9.8 Sep 27

An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel

Share

CVE-2026-8237 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy