Description
Concrete CMS 9.5.0 and below  is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller.  Any unauthenticated visitor can request /ccm/system/dialogs/file/usage/{fID} with any file ID and receive a list of every page that references that file, including page IDs, handles, and full URLs. This includes pages that are otherwise restricted by permissions.The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.9 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Eldudareeno for reporting.
Published: 2026-05-21
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS versions 9.5.0 and earlier allow an unauthenticated web user to request the file usage endpoint with any file identifier. The missing permission check exposes a list of every page that references that file, including page IDs, handles, and full URLs, even if those pages are normally restricted. This disclosure enables attackers to map application content and identify potentially sensitive or privileged pages, compromising confidentiality without granting direct code execution.

Affected Systems

Concrete CMS 9.5.0 and all prior releases are affected.

Risk and Exploitability

The vulnerability has a CVSS score of 6.9, indicating moderate severity. No EPSS score is available and the issue is not listed in CISA KEV. Because the attack vector is a simple unauthenticated HTTP request to the /ccm/system/dialogs/file/usage endpoint with a file ID, exploitation requires no additional credentials or complex conditions. An attacker can probe file IDs to enumerate all references, posing a moderate risk of leaking internal URLs and potentially exposing restricted content.

Generated by OpenCVE AI on May 21, 2026 at 22:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Concrete CMS to the latest version that includes the file usage disclosure fix.
  • If upgrading is not possible, block unauthenticated access to the "/ccm/system/dialogs/file/usage" endpoint using web server configuration or firewall rules.
  • Apply custom access controls or a temporary patch that requires authentication before file usage information can be retrieved.

Generated by OpenCVE AI on May 21, 2026 at 22:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9.5.0 and below  is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller.  Any unauthenticated visitor can request /ccm/system/dialogs/file/usage/{fID} with any file ID and receive a list of every page that references that file, including page IDs, handles, and full URLs. This includes pages that are otherwise restricted by permissions.The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.9 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Eldudareeno for reporting.
Title Concrete 9.5.0 and below has file usage disclosure via missing permission check in Usage controller
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-21T20:55:21.936Z

Reserved: 2026-04-21T20:39:10.329Z

Link: CVE-2026-6826

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T21:16:32.697

Modified: 2026-05-21T21:16:32.697

Link: CVE-2026-6826

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T22:45:21Z

Weaknesses