CVEFinder.io

CVE-2026-7886

🔶 medium
🔍 Scan for this CVE
Summary

Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass. The `AddMessage` and `UpdateMessage` conversation controllers accept user-supplied file attachment IDs and load files directly via `$em->find(File::class, $attachmentID)` without checking per-file permissions (`canViewFile()`). A user who can post in any conversation can reference any file in the CMS file manager by its sequential ID, effectively by

Description

Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass. The `AddMessage` and `UpdateMessage` conversation controllers accept user-supplied file attachment IDs and load files directly via `$em->find(File::class, $attachmentID)` without checking per-file permissions (`canViewFile()`). A user who can post in any conversation can reference any file in the CMS file manager by its sequential ID, effectively bypassing the file permission system.  The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with a vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Mandani for reporting. if a site truly has private files, the owner should set up a private storage location https://documentation.concretecms.org/user-guide/editors-reference/dashboard/system-and-maintenance/files/file-storage-locations outside of the webroot so that permissions can be checked on view as well. That way, even if a authorized user attaches a file, or otherwise links to it, unauthorized users won't be able to view the file.

CVSS Score
4.3
Medium
EPSS Score
0.0
Exploit Probability
Published Date
2026-05-21
First Seen: 2026-05-22
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 5.4% of all 330,193 vulnerabilities in our database.

#312,358
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 22, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Partial
Limited system impact
🏆 Discovered By
Tristan Mandani
SSVC data provided by CISA
Last Modified 2026-05-22
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS Vector 4.0 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE IDs (Weakness Types)
CWE-639

📦 Affected Products 1

Vendor Product Status Affected Versions
concretecms concrete_cms Affected
< 9.5.1

🔗 References 1

https://documentation.concretecms.org/9-x/developers...
Release Notes

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-8340 🔶 medium 4.3 0.0 Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion. Victim with edit_file_contents p... 2026-05-22
CVE-2026-8347 🔶 medium 4.3 0.0 Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog... 2026-05-22
CVE-2026-8353 🔶 medium 4.8 0.0 Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inj... 2026-05-22
CVE-2026-6826 🔶 medium 5.3 0.0 Concrete CMS 9.5.0 and below  is vulnerable to unauthenticated file usage disclosure via missing permission check in t... 2026-05-21
CVE-2026-8134 ⚠️ high 7.2 0.5 Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTempl... 2026-05-21
CVE-2026-8135 ⚠️ high 7.2 0.2 Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the E... 2026-05-21
These CVEs affect the same products