Concrete CMS versions 9.5.0 and earlier expose an improper authorization flaw that lets anyone query the /ccm/frontend/conversations/message_page endpoint and retrieve the full content of any conversation message. The flaw allows an unauthenticated attacker to read highly sensitive information, including messages from restricted pages, member‑only areas, and the moderation queue, as well as download URLs for attached files. The weakness is an IDOR (CWE‑862) that compromises confidentiality and data integrity.

The vulnerability affects all installations of Concrete CMS released in version 9.5.0 and earlier. The affected product is the Concrete CMS content management system. No specific patch level is listed, so any system running those versions is at risk.

The CVSS score of 6.3 characterizes the issue as medium severity, and the EPSS score is not available. The vulnerability is not included in the CISA KEV list. An attacker can exploit the flaw by making unauthenticated HTTP requests to the vulnerable endpoint, enumerating message identifiers, and retrieving message bodies or attachment URLs. Because no authentication is required, the attack can be automated and performed remotely, making it a practical threat in environments where the CMS is publicly exposed.