CVE-2026-8205
Analyzed Analyzed - Analysis Complete

Authorization Bypass in Concrete CMS Calendar Block

Vulnerability report for CVE-2026-8205, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-21

Last updated on: 2026-05-26

Assigner: ConcreteCMS

Description

Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which results in restricted event details being disclosed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks lalalala5678 for reporting.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-21
Last Modified
2026-05-26
Generated
2026-07-02
AI Q&A
2026-05-22
EPSS Evaluated
2026-06-30
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
concretecms concrete_cms to 9.5.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-425 The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Concrete CMS version 9.5.0 and below. It is an authorization bypass issue in the Calendar Block component. Specifically, the function action_get_events does not properly check whether a user has permission (canView) to access the calendar. As a result, users can access restricted event details that they should not be able to see.

Compliance Impact

The vulnerability in Concrete CMS 9.5.0 and below allows authorization bypass in the Calendar Block, leading to restricted event details being disclosed without proper permission checks.

This unauthorized disclosure of restricted event information could potentially impact compliance with data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

However, the provided information does not explicitly state the exact compliance implications or whether the disclosed event details include personal or sensitive data covered by these regulations.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of restricted event details within the Concrete CMS Calendar Block. This means that sensitive or confidential event information could be exposed to users who do not have the proper permissions, potentially leading to privacy breaches or information leakage.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8205. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart