CVE-2026-8238
IDOR Vulnerability in Concrete CMS Exposes Conversation Messages
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: ConcreteCMS
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| concrete5 | concrete_cms | to 9.5.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Insecure Direct Object Reference (IDOR) in Concrete CMS version 9.5.0 and below. It occurs at the '/ccm/frontend/conversations/message_page' endpoint, which returns the full content of any conversation message.
An unauthenticated attacker can exploit this flaw to enumerate all conversation messages, including those from restricted pages, member-only areas, and the moderation queue. Additionally, file attachments with download URLs are exposed to the attacker.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information. Since an unauthenticated attacker can access conversation messages from restricted and member-only areas, confidential communications and file attachments may be exposed.
This exposure could result in privacy breaches, leakage of sensitive data, and potential misuse of the information obtained from these messages and attachments.