Description
Concrete CMS 9.5.0 and below is vulnerable to IDOR. The `/ccm/frontend/conversations/message_detail` endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and the moderation queue. File attachments with download URLs are also exposed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Eldudareeno for reporting.
Published: 2026-05-21
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an IDOR in the /ccm/frontend/conversations/message_detail endpoint of Concrete CMS 9.5.0 and earlier. An unauthenticated user can request any conversation message ID and receive the full message content. Once accessed, the attacker can also download attached files because the attachment URLs are not protected. Because the endpoint exposes messages from restricted pages, member‑only areas, and moderation queues, the flaw can lead to significant disclosure of confidential communications and sensitive data.

Affected Systems

Concrete CMS versions 9.5.0 and all earlier releases are affected. The flaw resides in the frontend conversation module and is present in the default product without any configuration changes. All users running these versions should be aware that any user capable of sending HTTP requests to the affected endpoint could obtain private message contents.

Risk and Exploitability

With a CVSS score of 6.3, the flaw carries a moderate severity rating. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog. An attacker does not need authentication or elevated privileges; they simply request a valid message identifier. While enumeration requires knowledge of the message ID, automated discovery methods can identify valid IDs. Consequently, the exploitation risk is moderate but could be higher in environments where the CMS allows public access to the conversation module.

Generated by OpenCVE AI on May 21, 2026 at 22:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Concrete CMS to a version newer than 9.5.0 where the IDOR is fixed.
  • If an upgrade cannot be performed immediately, restrict access to the /ccm/frontend/conversations/message_detail endpoint by requiring authentication or applying ACLs so that only authorized users can retrieve message details.
  • Configure the CMS to secure attachment download URLs, for example by protecting them behind authentication or by using time‑limited signed URLs, to prevent unauthorized file downloads.
  • Monitor access logs for unusual requests to the endpoint and investigate any suspicious activity.

Generated by OpenCVE AI on May 21, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9.5.0 and below is vulnerable to IDOR. The `/ccm/frontend/conversations/message_detail` endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and the moderation queue. File attachments with download URLs are also exposed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Eldudareeno for reporting.
Title Concrete CMS 9.5.0 and below is vulnerable to IDOR in the`/ccm/frontend/conversations/message_detail` endpoint
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-21T21:01:37.990Z

Reserved: 2026-05-09T15:21:20.891Z

Link: CVE-2026-8237

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T22:16:49.773

Modified: 2026-05-21T22:16:49.773

Link: CVE-2026-8237

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T22:30:20Z

Weaknesses