CVE-2026-7879 Concrete CMS CVE debrief

Who should care

Administrators and operators of Concrete CMS sites running 9.5.0 or earlier, especially deployments that rely on permission-restricted or password-protected file downloads. Security teams should also review any integrations or workflows that expose the affected download endpoint.

Technical summary

The flaw is an improper authorization issue (CWE-862) in the download_file controller’s submit_password() path. According to the supplied record, the affected logic bypasses the view_file permission check during download handling. That creates an access-control gap where restricted files may be retrieved without the expected authorization decision, including password-protected files when the password is known but the user lacks the underlying file permission.

Defensive priority

Medium

Recommended defensive actions

• Review Concrete CMS installations for versions 9.5.0 and below and prioritize upgrading to the vendor-fixed release referenced in the 9.5.1 release notes.
• Audit file-download access controls and confirm that view_file permissions are enforced before any download or password-handling step.
• Restrict exposure of sensitive files until patches are applied, and re-check any content libraries that depend on password-only gating.
• Validate logs for unexpected access to restricted download endpoints and investigate any anomalous retrievals of protected files.

Evidence notes

The vulnerability description in the supplied CVE record states that submit_password() in concrete/controllers/single_page/download_file.php bypasses the view_file permission check. NVD also associates the issue with CWE-862 (missing authorization). The only supplied vendor reference is the Concrete CMS 9.5.1 release notes URL, which supports that this is a Concrete CMS issue and provides the vendor-linked remediation context.

Official resources