MEDIUM

GHSA-58c8-vvqw-cm7m

Concrete CMS is vulnerable to IDOR combined with a missing authentication gate

Details

Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate. The endpoint /ccm/system/dialogs/file/usage/{fID} accepts an integer file ID in the URL and returns internal site structure data (page IDs, versions, URL paths) to anyone who sends a GET request.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / concrete5/concrete5

Introduced in: 0 Fixed in: 9.5.1

Fix composer require concrete5/concrete5:^9.5.1

References

https://nvd.nist.gov/vuln/detail/CVE-2026-8236 [ADVISORY]
https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes [WEB]
https://github.com/concretecms/concretecms [PACKAGE]