PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8237 Concrete CMS CVE debrief

CVE-2026-8237 affects Concrete CMS 9.5.0 and below. An unauthenticated attacker can access the /ccm/frontend/conversations/message_detail endpoint to retrieve the full content of conversation messages they should not be able to see. The exposure includes messages from restricted pages, member-only areas, the moderation queue, and file attachment download URLs. The vulnerability was assigned CVSS v4.0 6.3 (Medium).

Vendor
Concrete CMS
Product
Unknown
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-21
Original CVE updated
2026-05-21
Advisory published
2026-05-21
Advisory updated
2026-05-21

Who should care

Administrators, application owners, and security teams running Concrete CMS sites that use Conversations, moderation workflows, restricted pages, member-only content, or file attachments should review this issue promptly. It is especially relevant anywhere private user messages or linked files may contain sensitive information.

Technical summary

NVD describes this as an IDOR / access-control failure in Concrete CMS. The /ccm/frontend/conversations/message_detail endpoint returns the full content of conversation messages without requiring authentication, enabling enumeration of messages that should be access-controlled. The issue also exposes download URLs for attachments. NVD lists CWE-862 and the CVSS v4.0 vector AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N, indicating network reachability with no privileges required and a confidentiality impact centered on exposed message data.

Defensive priority

Medium severity, but prioritize as soon as practical if your deployment uses Conversations or stores sensitive internal, moderated, or member-only content. Because the endpoint is unauthenticated and leaks message bodies plus attachment URLs, the practical exposure can be broader than the numeric CVSS score suggests.

Recommended defensive actions

  • Review your Concrete CMS deployment for use of Conversations, moderation queues, member-only content, and file attachments.
  • Restrict external access to affected instances until a vendor fix is confirmed and applied, especially if the site contains sensitive messages.
  • Check whether exposed conversation content or attachment URLs may have been accessible and assess any confidentiality impact.
  • Upgrade to a Concrete CMS version that includes the vendor remediation referenced by the Concrete CMS release notes linked from NVD.
  • After remediation, verify that /ccm/frontend/conversations/message_detail no longer exposes unauthorized content and that attachment URLs are access-controlled.
  • Monitor logs for unusual requests to conversation message endpoints and review for any evidence of enumeration.

Evidence notes

The description provided in the source corpus states that Concrete CMS 9.5.0 and below is vulnerable to IDOR via /ccm/frontend/conversations/message_detail, with unauthenticated access to full conversation messages and attachment download URLs. The NVD record classifies the weakness as CWE-862 and supplies the CVSS v4.0 vector. NVD also links a Concrete CMS version-history release-notes page as the vendor reference.

Official resources

CVE-2026-8237 was published and last modified on 2026-05-21T22:16:49.773Z in the supplied timeline. Use that CVE publication timestamp as the issue date context for reporting and remediation tracking.