CVE-2026-8236
Received Received - Intake
IDOR and Missing Authentication in Concrete CMS

Publication date: 2026-05-21

Last updated on: 2026-05-21

Assigner: ConcreteCMS

Description
Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate. The endpoint /ccm/system/dialogs/file/usage/{fID} accepts an integer file ID in the URL and returns internal site structure data (page IDs, versions, URL paths) to anyone who sends a GET request. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-21
Generated
2026-05-22
AI Q&A
2026-05-22
EPSS Evaluated
N/A
NVD
CVE-2026-8236
EUVD
EUVD-2026-31347
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
concrete5 concrete_cms to 9.5.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.


Can you explain this vulnerability to me?

This vulnerability affects Concrete CMS version 9.5.0 and below. It is an Insecure Direct Object Reference (IDOR) combined with a missing authentication gate. Specifically, the endpoint /ccm/system/dialogs/file/usage/{fID} accepts a file ID as an integer in the URL and returns internal site structure data such as page IDs, versions, and URL paths. Because there is no authentication required, anyone who sends a GET request to this endpoint with a valid file ID can access this sensitive internal information.


How can this vulnerability impact me? :

This vulnerability can expose internal site structure data to unauthorized users. Attackers can retrieve sensitive information like page IDs, versions, and URL paths without any authentication. This exposure can aid attackers in mapping the site, planning further attacks, or exploiting other vulnerabilities, potentially compromising the security and integrity of the affected Concrete CMS installation.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if the endpoint /ccm/system/dialogs/file/usage/{fID} is accessible without authentication and returns internal site structure data when accessed with different integer file IDs.

A simple way to test this is to send GET requests to this endpoint with various file ID values and observe if sensitive data such as page IDs, versions, or URL paths are returned.

Example command using curl to test file ID 1:

  • curl -i http://[target-domain]/ccm/system/dialogs/file/usage/1

If the response contains internal site structure data without requiring authentication, the vulnerability is present.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting access to the vulnerable endpoint by implementing proper authentication and authorization checks.

Ensure that the endpoint /ccm/system/dialogs/file/usage/{fID} is not accessible to unauthenticated users.

If possible, update Concrete CMS to a version above 9.5.0 where this vulnerability is fixed.

As a temporary measure, consider blocking access to this endpoint via firewall rules or web server configuration until a patch or update is applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart