CVE-2026-7886
Received Received - Intake
IDOR in Concrete CMS via Attachments Parameter

Publication date: 2026-05-21

Last updated on: 2026-05-22

Assigner: ConcreteCMS

Description
Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass. The `AddMessage` and `UpdateMessage` conversation controllers accept user-supplied file attachment IDs and load files directly via `$em->find(File::class, $attachmentID)` without checking per-file permissions (`canViewFile()`). A user who can post in any conversation can reference any file in the CMS file manager by its sequential ID, effectively bypassing the file permission system.  The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with a vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Mandani for reporting. if a site truly has private files, the owner should set up a private storage location https://documentation.concretecms.org/user-guide/editors-reference/dashboard/system-and-maintenance/files/file-storage-locations outside of the webroot so that permissions can be checked on view as well. That way, even if a authorized user attaches a file, or otherwise links to it, unauthorized users won't be able to view the file.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-22
Generated
2026-06-11
AI Q&A
2026-05-22
EPSS Evaluated
2026-06-10
NVD
CVE-2026-7886
EUVD
EUVD-2026-31360
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
concretecms concrete_cms to 9.5.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Concrete CMS version 9.5.0 and below and is an Insecure Direct Object Reference (IDOR) issue in the AddMessage and UpdateMessage conversation controllers.

The problem arises because these controllers accept user-supplied file attachment IDs via the attachments[] parameter and load files directly without verifying if the user has permission to view those files.

Specifically, the system uses a function to find files by their ID but does not check per-file permissions with canViewFile(), allowing a user who can post in any conversation to reference any file in the CMS file manager by its sequential ID.

This effectively bypasses the file permission system, potentially exposing files that should be restricted.

Impact Analysis

This vulnerability can allow a user with posting permissions in any conversation to access files they should not be authorized to view by referencing file IDs directly.

As a result, sensitive or private files stored in the CMS file manager could be exposed to unauthorized users, leading to potential data leakage.

However, the impact is somewhat mitigated if the site owner configures private storage locations outside of the webroot, which enforces permission checks on file views.

Mitigation Strategies

To mitigate this vulnerability, site owners should set up a private storage location outside of the webroot. This ensures that permissions can be properly checked on file views, preventing unauthorized users from accessing private files even if they are linked or attached by authorized users.

Specifically, configuring private storage locations as described in the Concrete CMS documentation helps protect files from unauthorized access despite the IDOR vulnerability in the AddMessage/UpdateMessage controllers.

Compliance Impact

The vulnerability in Concrete CMS allows unauthorized users to bypass file permission checks and access files they should not be able to view. This could potentially lead to unauthorized disclosure of sensitive or private information.

Such unauthorized access to files may impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive data to protect privacy and confidentiality.

However, the Concrete CMS security team recommends configuring private storage locations outside the webroot to enforce proper permission checks, which can mitigate the risk of unauthorized file access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7886. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart