CVE-2026-8236
Analyzed Analyzed - Analysis Complete
IDOR and Missing Authentication in Concrete CMS

Publication date: 2026-05-21

Last updated on: 2026-05-26

Assigner: ConcreteCMS

Description
Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate. The endpoint /ccm/system/dialogs/file/usage/{fID} accepts an integer file ID in the URL and returns internal site structure data (page IDs, versions, URL paths) to anyone who sends a GET request. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-26
Generated
2026-06-11
AI Q&A
2026-05-22
EPSS Evaluated
2026-06-10
NVD
CVE-2026-8236
EUVD
EUVD-2026-31347
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
concretecms concrete_cms to 9.5.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability affects Concrete CMS version 9.5.0 and below. It is an Insecure Direct Object Reference (IDOR) combined with a missing authentication gate. Specifically, the endpoint /ccm/system/dialogs/file/usage/{fID} accepts a file ID as an integer in the URL and returns internal site structure data such as page IDs, versions, and URL paths. Because there is no authentication required, anyone who sends a GET request to this endpoint with a valid file ID can access this sensitive internal information.

Impact Analysis

This vulnerability can expose internal site structure data to unauthorized users. Attackers can retrieve sensitive information like page IDs, versions, and URL paths without any authentication. This exposure can aid attackers in mapping the site, planning further attacks, or exploiting other vulnerabilities, potentially compromising the security and integrity of the affected Concrete CMS installation.

Detection Guidance

This vulnerability can be detected by checking if the endpoint /ccm/system/dialogs/file/usage/{fID} is accessible without authentication and returns internal site structure data when accessed with different integer file IDs.

A simple way to test this is to send GET requests to this endpoint with various file ID values and observe if sensitive data such as page IDs, versions, or URL paths are returned.

Example command using curl to test file ID 1:

  • curl -i http://[target-domain]/ccm/system/dialogs/file/usage/1

If the response contains internal site structure data without requiring authentication, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint by implementing proper authentication and authorization checks.

Ensure that the endpoint /ccm/system/dialogs/file/usage/{fID} is not accessible to unauthenticated users.

If possible, update Concrete CMS to a version above 9.5.0 where this vulnerability is fixed.

As a temporary measure, consider blocking access to this endpoint via firewall rules or web server configuration until a patch or update is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8236. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart