Description
Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which results in restricted event details being disclosed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks lalalala5678 for reporting.
Published: 2026-05-21
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an authorization bypass in Concrete CMS’s Calendar Block caused by the action_get_events method not verifying canView permissions. This flaw allows unauthorized users to retrieve event information that is meant to be restricted, potentially exposing sensitive scheduling data. The weakness is classified as CWE‑425, reflecting a trust boundary breach that undermines confidentiality.

Affected Systems

All Concrete CMS releases 9.5.0 and earlier are affected. No specific sub‑version range is listed, meaning every edition of the 9.5.x series down to the initial 9.5.0 release is vulnerable.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity, while the EPSS score is not available, so the exact exploitation probability is unknown. Because the CVSS vector shows the attack is network‑based, an attacker can trigger the flaw by accessing the web interface without special privileges. The vulnerability is not currently listed in CISA’s KEV catalog, suggesting no known active exploits, but the low‑to‑moderate risk warrants attention.

Generated by OpenCVE AI on May 21, 2026 at 22:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Concrete CMS to a version that includes the missing permission check for the Calendar Block.
  • If an update is not yet available, disable the Calendar Block on publicly accessible pages or restrict calendar permissions to prevent unauthorized access.
  • Monitor Concrete CMS security advisories and apply any future patches promptly; verify that the canView check has been implemented.

Generated by OpenCVE AI on May 21, 2026 at 22:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which results in restricted event details being disclosed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks lalalala5678 for reporting.
Title Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in Calendar Block since action_get_events does not check canView on the calendar
Weaknesses CWE-425
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-21T20:57:49.858Z

Reserved: 2026-05-09T00:57:15.214Z

Link: CVE-2026-8205

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T21:16:33.650

Modified: 2026-05-21T21:16:33.650

Link: CVE-2026-8205

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T22:45:21Z

Weaknesses