Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/message_page' endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and the moderation queue. File attachments with download URLs are also exposed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Madani for reporting.
AnalysisAI
Insecure Direct Object Reference (IDOR) in Concrete CMS 9.5.0 and earlier exposes the full content of any conversation message through an unauthenticated frontend API endpoint, including messages from restricted pages, member-only areas, and the moderation queue. Unauthenticated remote attackers can enumerate message records and harvest file attachment download URLs by querying /ccm/frontend/conversations/message_page without credentials. No public exploit code has been identified and no CISA KEV listing exists; however, the network-accessible unauthenticated attack vector (PR:N, AV:N) makes patching a priority for any public-facing installation using the Conversations feature.
Technical ContextAI
The vulnerability is classified under CWE-862 (Missing Authorization), a root-cause class where server-side logic fails to verify the requesting party's permission before returning a resource. The frontend endpoint /ccm/frontend/conversations/message_page is part of Concrete CMS's built-in Conversations module - a commenting and discussion system that can be attached to pages. The flaw allows message identifiers to be enumerated or iterated without any authorization check, enabling retrieval of arbitrary message records regardless of the page-level access controls (restricted pages, member-only zones, or moderation queue states) that would normally gate visibility. CPE data (cpe:2.3:a:concrete_cms:concrete_cms:*:*:*:*:*:*:*:*) confirms the vulnerability spans the entire Concrete CMS application product, not a plugin or optional module. The CVSS 4.0 AT:P modifier (Attack Requirements: Present) indicates some environmental or configuration prerequisite must be in place - specifically, the Conversations feature must be active and contain message data.
RemediationAI
Upgrade to Concrete CMS 9.5.1, which addresses this vulnerability per vendor release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes; this is the primary and recommended fix. If immediate upgrade is not possible, administrators can restrict access to /ccm/frontend/conversations/message_page at the web server layer (e.g., an nginx location block or Apache Location directive) to require authenticated sessions, though this may interfere with legitimate frontend conversation loading for logged-in users and should be tested against site functionality. A higher-impact but zero-side-effect workaround is to disable the Conversations feature entirely within the Concrete CMS dashboard if discussion functionality is not required, fully eliminating the exposed endpoint at the cost of all commenting capability. No compensating controls short of these measures can reliably prevent enumeration of message IDs once the endpoint is reachable.
More in Concrete Cms
View allA bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co
Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl
Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity
A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co
concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad
An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31354
GHSA-qv3x-mffx-9gw8