CVE-2026-8239
Analyzed Analyzed - Analysis Complete
IDOR Vulnerability in Concrete CMS 9.5.0 and Below

Publication date: 2026-05-21

Last updated on: 2026-05-26

Assigner: ConcreteCMS

Description
Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/get_rating' endpoint confirms existence and returns rating score for any message by ID. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Madani for reporting.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-26
Generated
2026-06-11
AI Q&A
2026-05-22
EPSS Evaluated
2026-06-10
NVD
CVE-2026-8239
EUVD
EUVD-2026-31349
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
concretecms concrete_cms to 9.5.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Concrete CMS version 9.5.0 and below. It is an Insecure Direct Object Reference (IDOR) issue in the '/ccm/frontend/conversations/get_rating' endpoint. This endpoint can be exploited to confirm the existence of any message by its ID and retrieve its rating score without proper authorization.

Impact Analysis

An attacker can use this vulnerability to access information about messages that they should not be able to see, specifically confirming message existence and viewing rating scores. This could lead to unauthorized disclosure of information and potential privacy issues.

Detection Guidance

This vulnerability involves the '/ccm/frontend/conversations/get_rating' endpoint confirming the existence and returning the rating score for any message by ID.

To detect this vulnerability on your system or network, you can attempt to access this endpoint with different message IDs and observe if the system returns rating scores without proper authorization.

For example, you might use a command like the following to test the endpoint:

  • curl -i -X GET "http://[target]/ccm/frontend/conversations/get_rating?message_id=[ID]"

Replace [target] with your Concrete CMS server address and [ID] with various message IDs to check if the endpoint returns rating information without authentication.

Mitigation Strategies

The CVE description does not provide specific mitigation steps.

However, general immediate mitigation steps for an IDOR vulnerability like this include:

  • Restrict access to the '/ccm/frontend/conversations/get_rating' endpoint to authenticated and authorized users only.
  • Implement proper access control checks on the server side to ensure users can only access ratings for messages they are permitted to view.
  • Consider updating Concrete CMS to a version where this vulnerability is fixed once available.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8239. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart