Description
Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass. The `AddMessage` and `UpdateMessage` conversation controllers accept user-supplied file attachment IDs and load files directly via `$em->find(File::class, $attachmentID)` without checking per-file permissions (`canViewFile()`). A user who can post in any conversation can reference any file in the CMS file manager by its sequential ID, effectively bypassing the file permission system.  The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with a vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Mandani for reporting. if a site truly has private files, the owner should set up a private storage location https://documentation.concretecms.org/user-guide/editors-reference/dashboard/system-and-maintenance/files/file-storage-locations outside of the webroot so that permissions can be checked on view as well. That way, even if a authorized user attaches a file, or otherwise links to it, unauthorized users won't be able to view the file.
Published: 2026-05-21
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS versions 9.5.0 and below allow an Insecure Direct Object Reference via the attachments[] parameter in AddMessage and UpdateMessage controllers. The system accepts arbitrary file attachment identifiers and loads the files without verifying the requesting user’s view rights, thereby bypassing the CMS file permission system. Consequently, a user who can post messages in any conversation can reference any file in the file manager by its numeric ID, exposing private files to unauthorized viewers. This weakness (CWE‑639) leads directly to confidential data leakage rather than code execution or denial of service.

Affected Systems

The vulnerability affects Concrete CMS 9.5.0 and all prior releases. No specific version patch number is cited in the advisory, but administrators should verify whether recent releases contain the fix.

Risk and Exploitability

The CVSS v4.0 score of 2.3 reflects low overall impact, and the EPSS score is not available. The vulnerability is not listed in CISA’s KEV catalog, indicating that no known exploitation has been observed. The most likely attack vector is a legitimate user posting a message or updating a conversation while supplying a file identifier that points to a protected file. This requires knowledge of the target file’s numeric ID, which is generally only discoverable by authorized users or by inspecting the file manager, thereby limiting the attacker’s ability to target arbitrary users. As a result the risk of widespread exploitation remains low, but the exposure of private content justifies remediation.

Generated by OpenCVE AI on May 21, 2026 at 22:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Concrete CMS to the latest version that contains the IDOR fix or apply the vendor‑provided patch for the affected release.
  • Reconfigure the file storage system to use a private location outside the webroot, ensuring that all file access checks pass through the canViewFile() validation before rendering a file to the browser.
  • Use conversation or file‑level permissions to restrict which users can post attachments, and validate attachments[] input against the current user’s access rights to prevent referencing unauthorized files.

Generated by OpenCVE AI on May 21, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass. The `AddMessage` and `UpdateMessage` conversation controllers accept user-supplied file attachment IDs and load files directly via `$em->find(File::class, $attachmentID)` without checking per-file permissions (`canViewFile()`). A user who can post in any conversation can reference any file in the CMS file manager by its sequential ID, effectively bypassing the file permission system.  The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with a vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Mandani for reporting. if a site truly has private files, the owner should set up a private storage location https://documentation.concretecms.org/user-guide/editors-reference/dashboard/system-and-maintenance/files/file-storage-locations outside of the webroot so that permissions can be checked on view as well. That way, even if a authorized user attaches a file, or otherwise links to it, unauthorized users won't be able to view the file.
Title Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-21T21:18:39.754Z

Reserved: 2026-05-05T19:31:00.289Z

Link: CVE-2026-7886

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T22:16:49.140

Modified: 2026-05-21T22:16:49.140

Link: CVE-2026-7886

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T22:30:20Z

Weaknesses