CVE-2026-6826
Analyzed Analyzed - Analysis Complete
Unauthenticated File Usage Disclosure in Concrete CMS

Publication date: 2026-05-21

Last updated on: 2026-05-26

Assigner: ConcreteCMS

Description
Concrete CMS 9.5.0 and below  is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller.  Any unauthenticated visitor can request /ccm/system/dialogs/file/usage/{fID} with any file ID and receive a list of every page that references that file, including page IDs, handles, and full URLs. This includes pages that are otherwise restricted by permissions.The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.9 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Eldudareeno for reporting.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-26
Generated
2026-06-11
AI Q&A
2026-05-22
EPSS Evaluated
2026-06-10
NVD
CVE-2026-6826
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
concretecms concrete_cms to 9.5.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Concrete CMS version 9.5.0 and earlier has a security flaw where an unauthenticated user can access information about file usage without proper permission checks.

Specifically, anyone can send a request to the usage controller endpoint with any file ID and receive a list of all pages that reference that file, including page IDs, handles, and full URLs.

This means that even pages normally restricted by permissions can be disclosed to unauthenticated visitors.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of information about the structure and content of a website using Concrete CMS.

An attacker or unauthorized user could gather sensitive information about which pages reference certain files, potentially exposing restricted content or internal site organization.

This could be used for further attacks, reconnaissance, or to bypass access controls by learning about protected resources.

Detection Guidance

This vulnerability can be detected by checking if unauthenticated requests to the endpoint /ccm/system/dialogs/file/usage/{fID} return information about file usage, including page IDs, handles, and URLs.

A simple way to test this is to send an HTTP GET request to the URL with a file ID and observe if the response discloses usage information without authentication.

For example, you can use the following command to test from a terminal:

  • curl -v http://<your-concrete-cms-site>/ccm/system/dialogs/file/usage/1

If the response contains details about pages referencing the file, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint by implementing proper permission checks or access controls.

If possible, update Concrete CMS to a version above 9.5.0 where this vulnerability is fixed.

Alternatively, you can block unauthenticated access to the /ccm/system/dialogs/file/usage/ path via web server configuration or firewall rules.

Compliance Impact

This vulnerability allows unauthenticated users to access detailed information about file usage within the Concrete CMS, including page IDs, handles, and full URLs, even for pages that are normally restricted by permissions.

Such unauthorized disclosure of information could potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to sensitive information and proper permission checks to prevent unauthorized data exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6826. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart