Description
Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot point to access private calendar data. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.
Published: 2026-05-21
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS 9.5.0 and earlier contain an authorization bypass in the calendar event frontend dialog. The flaw allows a user to access private calendar entries through a public calendar block, exposing protected data. This is a standard case of CWE‑639, where the application fails to enforce proper authorization checks on user actions.

Affected Systems

Any Concrete CMS site running version 9.5.0 or an earlier release is affected. The vulnerable component is the calendar event dialog presented in the frontend, which can be invoked through a public calendar block that is configured on the website.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, with a network attack vector and low complexity. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. An attacker who can reach the public calendar block can exploit the bypass to view private calendar entries, potentially compromising confidentiality.

Generated by OpenCVE AI on May 21, 2026 at 23:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available patch or upgrade to a Concrete CMS release newer than 9.5.0 that addresses the authorization bypass.
  • If an upgrade is not immediately possible, limit or remove public calendar blocks from publicly accessible pages to prevent them from acting as a pivot point.
  • Review the application’s authorization logic for calendar events and ensure that it validates user permissions before rendering event details.

Generated by OpenCVE AI on May 21, 2026 at 23:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Fri, 22 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot point to access private calendar data. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.
Title Concrete CMS 9.5.0 and below is vulnerable to Authorization Bypass in the Calendar Event Frontend Dialog
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-22T12:27:38.540Z

Reserved: 2026-05-09T00:11:45.659Z

Link: CVE-2026-8204

cve-icon Vulnrichment

Updated: 2026-05-22T12:27:34.914Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-21T21:16:33.530

Modified: 2026-05-26T14:58:25.500

Link: CVE-2026-8204

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T23:15:17Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key