CVE-2026-8205
Analyzed Analyzed - Analysis Complete
Authorization Bypass in Concrete CMS Calendar Block

Publication date: 2026-05-21

Last updated on: 2026-05-26

Assigner: ConcreteCMS

Description
Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which results in restricted event details being disclosed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks lalalala5678 for reporting.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-26
Generated
2026-06-11
AI Q&A
2026-05-22
EPSS Evaluated
2026-06-10
NVD
CVE-2026-8205
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
concretecms concrete_cms to 9.5.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-425 The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Concrete CMS version 9.5.0 and below. It is an authorization bypass issue in the Calendar Block component. Specifically, the function action_get_events does not properly check whether a user has permission (canView) to access the calendar. As a result, users can access restricted event details that they should not be able to see.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of restricted event details within the Concrete CMS Calendar Block. This means that sensitive or confidential event information could be exposed to users who do not have the proper permissions, potentially leading to privacy breaches or information leakage.

Compliance Impact

The vulnerability in Concrete CMS 9.5.0 and below allows authorization bypass in the Calendar Block, leading to restricted event details being disclosed without proper permission checks.

This unauthorized disclosure of restricted event information could potentially impact compliance with data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

However, the provided information does not explicitly state the exact compliance implications or whether the disclosed event details include personal or sensitive data covered by these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8205. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart