PatchSiren cyber security CVE debrief
CVE-2026-6826 Concrete CMS CVE debrief
CVE-2026-6826 is an unauthenticated information-disclosure issue in Concrete CMS 9.5.0 and earlier. A missing permission check in the file usage controller can let a remote visitor query file-usage details for a file ID and receive references to pages that use that file, including page IDs, handles, and full URLs. Because the response can include pages that are otherwise restricted, the issue can expose sensitive site structure and content relationships even without an account.
- Vendor
- Concrete CMS
- Product
- Unknown
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Concrete CMS administrators, security teams, and developers operating internet-facing sites on Concrete CMS 9.5.0 or below should treat this as relevant, especially if file metadata or page relationships are sensitive or if restricted content is present on the site.
Technical summary
The supplied CVE description and NVD metadata indicate that /ccm/system/dialogs/file/usage/{fID} lacked an authorization check. An unauthenticated requester could supply a file ID and obtain a list of pages referencing that file. The disclosed data includes page IDs, handles, and full URLs, and may cover pages protected by normal permissions. NVD maps the issue to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and assigns CVSS v4.0 6.9 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
Defensive priority
Medium overall, but higher priority for publicly reachable Concrete CMS deployments that rely on restricted pages or treat page-relationship metadata as sensitive.
Recommended defensive actions
- Upgrade Concrete CMS to a version that includes the vendor fix referenced by the Concrete CMS 9.5.1 release notes.
- Review access to the file-usage endpoint and verify that authorization checks are enforced for all file IDs.
- Audit logs for unusual or repeated requests to /ccm/system/dialogs/file/usage/{fID}, especially unauthenticated traffic.
- Treat page-relationship metadata as potentially sensitive and minimize unnecessary exposure of file usage details in custom code or integrations.
- If immediate patching is not possible, reduce external exposure of the CMS and place additional access controls around administrative and metadata-bearing endpoints.
Evidence notes
The CVE description states that unauthenticated visitors can query the file usage controller and receive page references, including restricted pages. The NVD record cites Concrete CMS 9.5.1 release notes as the supplied reference and assigns CWE-200. The corpus marks the vendor metadata as low-confidence and needing review, so the product attribution should be interpreted cautiously and anchored to the supplied reference material.
Official resources
-
CVE-2026-6826 CVE record
CVE.org
-
CVE-2026-6826 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
ff5b8ace-8b95-4078-9743-eac1ca5451de
Publicly disclosed in the CVE/NVD record on 2026-05-21. No KEV entry is provided in the supplied corpus, and the corpus does not include evidence of active exploitation.