PatchSiren cyber security CVE debrief
CVE-2026-7886 Concrete CMS CVE debrief
CVE-2026-7886 describes an access-control flaw in Concrete CMS conversations. In affected versions, the AddMessage and UpdateMessage controllers accept user-supplied attachment IDs and load File entities directly, which means a user who can post in a conversation may reference files by sequential ID without a per-file authorization check. The result is an IDOR-style file permission bypass rather than a direct code execution issue. The published severity is low (CVSS v4.0 2.3), but the issue still matters on sites that rely on Concrete CMS file permissions to protect private content. If a deployment uses private files, the vendor guidance in the supplied description recommends keeping sensitive files in a private storage location outside the webroot so access can be enforced at view time as well.
- Vendor
- Concrete CMS
- Product
- Unknown
- CVSS
- LOW 2.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Concrete CMS administrators, developers, and security owners—especially on sites that use conversation features and depend on file-manager permissions to protect private documents or media.
Technical summary
The vulnerability affects Concrete CMS 9.5.0 and below. The AddMessage and UpdateMessage conversation controllers accept an attachments[] parameter and resolve each supplied ID with $em->find(File::class, $attachmentID) without checking canViewFile(). That creates an IDOR condition (CWE-639): a user with permission to post in a conversation can supply another file's sequential database ID and have it attached or referenced, bypassing the intended per-file access controls. NVD lists the issue with CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N.
Defensive priority
Low overall severity, but prioritize if your deployment stores sensitive files in the same location as general web-accessible content or relies heavily on conversation attachments. Verify that private file storage and view-time permission checks are in place.
Recommended defensive actions
- Review Concrete CMS deployments for affected versions and apply the vendor-fixed release once confirmed in the official Concrete CMS release notes.
- Move sensitive content to a private storage location outside the webroot, as recommended in the supplied vendor guidance, so files are protected at view time.
- Audit conversation attachment handling and confirm that any custom code or extensions enforce per-file authorization before loading File objects.
- Restrict who can post in conversations if conversation attachments are not required for all users.
- Check existing private-file assumptions and validate that file permissions are not being bypassed through sequential file IDs.
Evidence notes
The supplied corpus identifies Concrete CMS 9.5.0 and below as affected and describes an IDOR in AddMessage/UpdateMessage via attachments[]. NVD classifies the issue as CWE-639 and assigns CVSS v4.0 2.3 (LOW). The corpus also cites the official Concrete CMS 9.5.1 release-notes URL, but the full release-note contents are not included here. CVE published/modified timestamps supplied in the corpus are 2026-05-21T22:16:49.140Z. Reporter credit in the description is Tristan Mandani.
Official resources
-
CVE-2026-7886 CVE record
CVE.org
-
CVE-2026-7886 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
ff5b8ace-8b95-4078-9743-eac1ca5451de
CVE-2026-7886 was published and last modified on 2026-05-21T22:16:49.140Z. The supplied NVD source lists the status as Received.