CVE-2026-8205
Received Received - Intake
Authorization Bypass in Concrete CMS Calendar Block

Publication date: 2026-05-21

Last updated on: 2026-05-21

Assigner: ConcreteCMS

Description
Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which results in restricted event details being disclosed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks lalalala5678 for reporting.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-21
Generated
2026-05-22
AI Q&A
2026-05-22
EPSS Evaluated
N/A
NVD
CVE-2026-8205
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
concrete_cms concrete_cms to 9.5.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-425 The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects Concrete CMS version 9.5.0 and below. It is an authorization bypass issue in the Calendar Block component. Specifically, the function action_get_events does not properly check whether a user has permission (canView) to access the calendar. As a result, users can access restricted event details that they should not be able to see.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability in Concrete CMS 9.5.0 and below allows authorization bypass in the Calendar Block, leading to restricted event details being disclosed without proper permission checks.

This unauthorized disclosure of restricted event information could potentially impact compliance with data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

However, the provided information does not explicitly state the exact compliance implications or whether the disclosed event details include personal or sensitive data covered by these regulations.


How can this vulnerability impact me? :

The vulnerability can lead to unauthorized disclosure of restricted event details within the Concrete CMS Calendar Block. This means that sensitive or confidential event information could be exposed to users who do not have the proper permissions, potentially leading to privacy breaches or information leakage.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart