CVE-2026-6826
Unauthenticated File Usage Disclosure in Concrete CMS
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: ConcreteCMS
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| concrete_cms | concrete_cms | 9.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
Concrete CMS version 9.5.0 and earlier has a security flaw where an unauthenticated user can access information about file usage without proper permission checks.
Specifically, anyone can send a request to the usage controller endpoint with any file ID and receive a list of all pages that reference that file, including page IDs, handles, and full URLs.
This means that even pages normally restricted by permissions can be disclosed to unauthenticated visitors.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated users to access detailed information about file usage within the Concrete CMS, including page IDs, handles, and full URLs, even for pages that are normally restricted by permissions.
Such unauthorized disclosure of information could potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to sensitive information and proper permission checks to prevent unauthorized data exposure.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of information about the structure and content of a website using Concrete CMS.
An attacker or unauthorized user could gather sensitive information about which pages reference certain files, potentially exposing restricted content or internal site organization.
This could be used for further attacks, reconnaissance, or to bypass access controls by learning about protected resources.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if unauthenticated requests to the endpoint /ccm/system/dialogs/file/usage/{fID} return information about file usage, including page IDs, handles, and URLs.
A simple way to test this is to send an HTTP GET request to the URL with a file ID and observe if the response discloses usage information without authentication.
For example, you can use the following command to test from a terminal:
- curl -v http://<your-concrete-cms-site>/ccm/system/dialogs/file/usage/1
If the response contains details about pages referencing the file, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoint by implementing proper permission checks or access controls.
If possible, update Concrete CMS to a version above 9.5.0 where this vulnerability is fixed.
Alternatively, you can block unauthenticated access to the /ccm/system/dialogs/file/usage/ path via web server configuration or firewall rules.