Concrete 9.5.0 and below has file usage disclosure via missing...

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller. Any unauthenticated visitor can request /ccm/system/dialogs/file/usage/{fID} with any file ID and receive a list of every page that references that file, including page IDs, handles, and full URLs. This includes pages that are otherwise restricted by permissions.The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.9 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Eldudareeno for reporting.

Basic Information

ID CVE-2026-6826

Source ConcreteCMS

Published May 21, 2026 at 20:55

Affected Product

Vendor Concrete CMS

Product Concrete CMS

Version 5.0

Affected Versions Concrete CMS Concrete CMS 5.0

CWE Classification

CWE-200

References

documentation.concretecms.org /9-x/developers/introduction/version-history/951-release-notes

{
    "lastseen": "",
    "description": "Concrete CMS 9.5.0 and below\u00a0 is vulnerable to\u00a0unauthenticated file usage disclosure via missing permission check in the usage controller.\u00a0\u00a0Any unauthenticated visitor can request /ccm/system/dialogs/file/usage/{fID} with any file ID and receive a list of every page that references that file, including page IDs, handles, and full URLs. This includes pages that are otherwise restricted by permissions.The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.9 with vector\u00a0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Eldudareeno\u00a0for reporting.",
    "published": "2026-05-21T20:55:21.936Z",
    "modified": "2026-05-21T20:55:21.936Z",
    "type": "cve",
    "title": "Concrete 9.5.0 and below has file usage disclosure via missing permission check in Usage controller",
    "source": "ConcreteCMS",
    "references": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes",
    "id": "CVE-2026-6826",
    "bulletinFamily": "",
    "cwe": [
        "CWE-200"
    ],
    "cvelist": null,
    "sourceData": "Concrete CMS Concrete CMS 5.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Concrete CMS",
    "version": "5.0",
    "vendor": "Concrete CMS",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Concrete 9.5.0 and below has file usage disclosure via missing permission check in Usage controller_CVE-2026-6826