Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass. The AddMessage and UpdateMessage conversation controllers accept user-supplied file attachment IDs and load files directly via $em->find(File::class, $attachmentID) without checking per-file permissions (canViewFile()). A user who can post in any conversation can reference any file in the CMS file manager by its sequential ID, effectively bypassing the file permission system. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with a vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Mandani for reporting. if a site truly has private files, the owner should set up a private storage location https://documentation.concretecms.org/user-guide/editors-reference/dashboard/system-and-maintenance/files/file-storage-locations outside of the webroot so that permissions can be checked on view as well. That way, even if a authorized user attaches a file, or otherwise links to it, unauthorized users won't be able to view the file.
AnalysisAI
Insecure Direct Object Reference (IDOR) in Concrete CMS 9.5.0 and below allows authenticated users with conversation posting rights to bypass the file permission system and reference arbitrary files from the CMS file manager. The AddMessage and UpdateMessage conversation controllers accept user-supplied integer attachment IDs and load file objects directly via the ORM without invoking the canViewFile() permission check, enabling unauthorized read and limited write access to files across the system. No public exploit code has been identified at time of analysis, and the ConcreteCMS security team assessed this as a low-severity issue (CVSS 4.0: 2.3), but sites storing sensitive private files are at meaningful risk if those files are served from within the webroot.
Technical ContextAI
Concrete CMS is a PHP-based content management system. The vulnerability exists in the conversation messaging subsystem - specifically the AddMessage and UpdateMessage controllers. These controllers accept an attachments[] array parameter containing integer file IDs. Internally, the code calls $em->find(File::class, $attachmentID) - a Doctrine ORM lookup that retrieves the file entity directly by its primary key without invoking the application-level canViewFile() authorization check. Because Concrete CMS uses sequential integer IDs for file records, the attack surface for enumeration is trivially low. The root cause is classified under CWE-639 (Authorization Through User-Controlled Key), a subtype of IDOR where an application exposes internal object references (here, sequential database primary keys) as user-controllable input without enforcing access control on each lookup. The affected CPE is cpe:2.3:a:concrete_cms:concrete_cms:*:*:*:*:*:*:*:* across the impacted version range. The CVSS 4.0 vector AV:N/AC:L/AT:P/PR:L reflects network-reachable exploitation requiring low privileges and the presence of specific attack requirements (conversation posting access).
RemediationAI
The primary remediation is to upgrade Concrete CMS to version 9.5.1, which is referenced in the vendor release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes - note that 9.5.1 as the fix version is inferred from that URL and has not been independently confirmed as a tagged release with the patch merged. For sites that cannot immediately upgrade, the vendor-recommended compensating control is to configure a private file storage location outside the webroot, following the guidance at https://documentation.concretecms.org/user-guide/editors-reference/dashboard/system-and-maintenance/files/file-storage-locations. By storing private files outside the webroot, the web server will block direct URL access regardless of whether the CMS-level permission check is bypassed, since no HTTP path to the file exists. The trade-off of this workaround is that it requires migrating existing private files to the new storage location and reconfiguring the CMS, which may require testing to avoid breaking existing file references. Sites that do not store sensitive or access-controlled files are at minimal risk even without the workaround.
More in Concrete Cms
View allA bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co
Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl
Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity
A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co
concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad
An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31360
GHSA-p8p9-5953-h9jw