PatchSiren cyber security CVE debrief
CVE-2026-8204 Concrete CMS CVE debrief
CVE-2026-8204 is a medium-severity authorization bypass in Concrete CMS calendar functionality. According to the CVE record, a public calendar block can be used as a pivot point to reach private calendar data through the Calendar Event Frontend Dialog, creating a cross-calendar data disclosure risk. The issue is reported as affecting Concrete CMS 9.5.0 and below, with a CVSS v4.0 score of 6.3. This is primarily a confidentiality concern rather than an integrity or availability issue.
- Vendor
- Concrete CMS
- Product
- Unknown
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-26
Who should care
Concrete CMS administrators, developers, and security teams that use calendar blocks or expose calendar content to public users should review this CVE. Sites that separate public and private calendars are especially relevant because the reported bypass can bridge that boundary.
Technical summary
The NVD record describes an authorization bypass in the Calendar Event Frontend Dialog. The key security impact is cross-calendar data disclosure: a public calendar block may be used as a pivot point to access private calendar data. NVD maps the weakness to CWE-639 and records the CVSS v4.0 vector as CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N, indicating network-reachable exploitation with low attack complexity and no required privileges or user interaction, but with a present authorization prerequisite in the vector.
Defensive priority
Medium. The flaw is publicly disclosed and can expose private calendar data, so organizations using affected Concrete CMS versions should treat it as a timely access-control issue even though the scored severity is not critical.
Recommended defensive actions
- Confirm whether your Concrete CMS deployment is running version 9.5.0 or earlier and treat it as potentially affected.
- Review the Concrete CMS release notes and apply the vendor fix or upgrade path for a non-vulnerable version newer than 9.5.0.
- Audit public calendar blocks and related frontend dialog permissions to ensure private calendar data cannot be reached through public entry points.
- Verify authorization checks on calendar event retrieval and dialog rendering paths, especially any code that distinguishes public versus private calendars.
- Review logs and access patterns for unusual or unauthorized access to calendar content.
- If calendar data separation matters to your environment, temporarily reduce exposure of public calendar features until remediation is completed.
Evidence notes
All statements above are grounded in the supplied CVE/NVD metadata and the referenced Concrete CMS release-notes URL. The CVE description explicitly states Concrete CMS 9.5.0 and below are vulnerable to an authorization bypass in the Calendar Event Frontend Dialog that can allow cross-calendar data disclosure. NVD records the weakness as CWE-639 and provides the CVSS v4.0 vector. No exploit details, proof-of-concept steps, or unverified fix version were used.
Official resources
-
CVE-2026-8204 CVE record
CVE.org
-
CVE-2026-8204 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
ff5b8ace-8b95-4078-9743-eac1ca5451de
Publicly disclosed in the NVD/CVE record on 2026-05-21. The NVD entry references Concrete CMS release notes as the vendor source for remediation context. No KEV listing is indicated in the supplied data.