Description
Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot point to access private calendar data. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.
Published: 2026-05-21
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS 9.5.0 and earlier contain an authorization bypass in the calendar event frontend dialog. The flaw allows a user to access private calendar entries through a public calendar block, exposing protected data. This is a standard case of CWE‑639, where the application fails to enforce proper authorization checks on user actions.

Affected Systems

Any Concrete CMS site running version 9.5.0 or an earlier release is affected. The vulnerable component is the calendar event dialog presented in the frontend, which can be invoked through a public calendar block that is configured on the website.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, with a network attack vector and low complexity. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. An attacker who can reach the public calendar block can exploit the bypass to view private calendar entries, potentially compromising confidentiality.

Generated by OpenCVE AI on May 21, 2026 at 23:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available patch or upgrade to a Concrete CMS release newer than 9.5.0 that addresses the authorization bypass.
  • If an upgrade is not immediately possible, limit or remove public calendar blocks from publicly accessible pages to prevent them from acting as a pivot point.
  • Review the application’s authorization logic for calendar events and ensure that it validates user permissions before rendering event details.

Generated by OpenCVE AI on May 21, 2026 at 23:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot point to access private calendar data. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.
Title Concrete CMS 9.5.0 and below is vulnerable to Authorization Bypass in the Calendar Event Frontend Dialog
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-21T20:56:33.018Z

Reserved: 2026-05-09T00:11:45.659Z

Link: CVE-2026-8204

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T21:16:33.530

Modified: 2026-05-21T21:16:33.530

Link: CVE-2026-8204

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T23:15:17Z

Weaknesses