Description
Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate. The endpoint /ccm/system/dialogs/file/usage/{fID} accepts an integer file ID in the URL and returns internal site structure data (page IDs, versions, URL paths) to anyone who sends a GET request. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.
Published: 2026-05-21
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS versions 9.5.0 and earlier allow an unauthenticated attacker to send a GET request to /ccm/system/dialogs/file/usage/{fID} with any integer file ID. The response returns sensitive internal site structure data, including page identifiers, versions, and URL paths, exposing information that could aid further attacks. The vulnerability is an Insecure Direct Object Reference (IDOR).

Affected Systems

Concrete CMS, any installation running version 9.5.0 or lower is affected. The attack exploits the missing authentication gate in the /ccm/system/dialogs/file/usage/ endpoint.

Risk and Exploitability

The CVSS v4.0 score of 6.3 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Since authentication is not required, any user with network access to the site can exploit this IDOR to retrieve internal site structure data over the network. The attack surface is broad and can lead to enumeration of the site’s contents, potentially exposing further weaknesses.

Generated by OpenCVE AI on May 21, 2026 at 22:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading Concrete CMS to a version newer than 9.5.0.
  • Restrict access to the /ccm/system/dialogs/file/usage/ endpoint by configuring web‑server authentication or firewall rules to block unauthenticated requests.
  • Audit the site for other exposed endpoints and review access logs for signs of abuse of the IDOR vulnerability.

Generated by OpenCVE AI on May 21, 2026 at 22:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate. The endpoint /ccm/system/dialogs/file/usage/{fID} accepts an integer file ID in the URL and returns internal site structure data (page IDs, versions, URL paths) to anyone who sends a GET request. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.
Title Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate for endpoint /ccm/system/dialogs/file/usage/{fID}
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-21T20:59:07.334Z

Reserved: 2026-05-09T15:01:30.954Z

Link: CVE-2026-8236

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T22:16:49.647

Modified: 2026-05-21T22:16:49.647

Link: CVE-2026-8236

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T23:00:12Z

Weaknesses