PatchSiren cyber security CVE debrief
CVE-2026-8236 Concrete CMS CVE debrief
CVE-2026-8236 describes an unauthenticated access-control flaw in Concrete CMS 9.5.0 and below. The endpoint /ccm/system/dialogs/file/usage/{fID} accepts a file ID in the URL and can return internal site structure details such as page IDs, versions, and URL paths to a GET request without an authentication gate. The issue is scored CVSS v4.0 6.3 (medium) and is primarily an information-disclosure and access-control problem that can help attackers map the application.
- Vendor
- Concrete CMS
- Product
- Unknown
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Concrete CMS administrators, hosting providers, and security teams operating affected versions (9.5.0 and below), especially environments where the Concrete CMS admin interface or dialogs are reachable from untrusted networks.
Technical summary
The supplied record characterizes the issue as an IDOR combined with a missing authentication gate. The affected route /ccm/system/dialogs/file/usage/{fID} accepts an integer file ID and returns internal site structure data in response to unauthenticated GET requests. NVD associates the issue with CWE-862 (Missing Authorization). The recorded CVSS v4.0 vector is CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N, reflecting low-severity confidentiality impact and no direct integrity or availability impact.
Defensive priority
Medium. The issue is network-reachable, requires no privileges or user interaction, and can expose sensitive internal structure that may support follow-on reconnaissance. Patch planning should be prompt, even though the direct impact is limited to information disclosure.
Recommended defensive actions
- Upgrade Concrete CMS to a non-vulnerable release referenced by the official 9.5.1 release notes.
- Restrict external access to /ccm/system/dialogs/file/usage/{fID} and related admin/dialog endpoints until remediation is complete.
- Review access logs for requests to the affected path and for patterns suggesting file-ID enumeration or site-structure probing.
- Treat page IDs, version information, and URL paths as sensitive metadata and assess whether exposure would aid further attack paths.
- Confirm the deployed Concrete CMS version across all instances, including staging and customer-facing mirrors, and document remediation status.
Evidence notes
This debrief is based only on the supplied NVD-modified record and the official Concrete CMS 9.5.1 release-notes link referenced there. The record states that Concrete CMS 9.5.0 and below are affected, that the vulnerability is unauthenticated, and that the returned data includes internal site structure details. The NVD metadata lists CWE-862 and a CVSS v4.0 score of 6.3 with the vector provided. No KEV listing was supplied. The vendor field in the source corpus was low-confidence/needs review, so product identification is derived from the provided description and official reference link.
Official resources
-
CVE-2026-8236 CVE record
CVE.org
-
CVE-2026-8236 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
ff5b8ace-8b95-4078-9743-eac1ca5451de
Publicly disclosed in the CVE record on 2026-05-21. The supplied description credits Winston Crooker for reporting the issue.