CVE-2026-8239
Received Received - Intake
IDOR Vulnerability in Concrete CMS 9.5.0 and Below

Publication date: 2026-05-21

Last updated on: 2026-05-21

Assigner: ConcreteCMS

Description
Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/get_rating' endpoint confirms existence and returns rating score for any message by ID. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Madani for reporting.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-21
Generated
2026-05-22
AI Q&A
2026-05-22
EPSS Evaluated
N/A
NVD
CVE-2026-8239
EUVD
EUVD-2026-31349
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
concrete5 concrete_cms to 9.5.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects Concrete CMS version 9.5.0 and below. It is an Insecure Direct Object Reference (IDOR) issue in the '/ccm/frontend/conversations/get_rating' endpoint. This endpoint can be exploited to confirm the existence of any message by its ID and retrieve its rating score without proper authorization.


How can this vulnerability impact me? :

An attacker can use this vulnerability to access information about messages that they should not be able to see, specifically confirming message existence and viewing rating scores. This could lead to unauthorized disclosure of information and potential privacy issues.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves the '/ccm/frontend/conversations/get_rating' endpoint confirming the existence and returning the rating score for any message by ID.

To detect this vulnerability on your system or network, you can attempt to access this endpoint with different message IDs and observe if the system returns rating scores without proper authorization.

For example, you might use a command like the following to test the endpoint:

  • curl -i -X GET "http://[target]/ccm/frontend/conversations/get_rating?message_id=[ID]"

Replace [target] with your Concrete CMS server address and [ID] with various message IDs to check if the endpoint returns rating information without authentication.


What immediate steps should I take to mitigate this vulnerability?

The CVE description does not provide specific mitigation steps.

However, general immediate mitigation steps for an IDOR vulnerability like this include:

  • Restrict access to the '/ccm/frontend/conversations/get_rating' endpoint to authenticated and authorized users only.
  • Implement proper access control checks on the server side to ensure users can only access ratings for messages they are permitted to view.
  • Consider updating Concrete CMS to a version where this vulnerability is fixed once available.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart