PatchSiren cyber security CVE debrief
CVE-2026-8238 Concrete CMS CVE debrief
CVE-2026-8238 is an information-disclosure flaw in Concrete CMS 9.5.0 and earlier. An attacker does not need to authenticate to retrieve full conversation message content through the frontend message endpoint, which can expose restricted-page, member-only, and moderation-queue messages as well as attachment download URLs.
- Vendor
- Concrete CMS
- Product
- Unknown
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Operators of Concrete CMS sites, especially those using private pages, member-only areas, conversation/message features, or moderation workflows, should treat this as a sensitive data exposure issue.
Technical summary
The CVE record and NVD entry describe an IDOR affecting the /ccm/frontend/conversations/message_page endpoint. Because object-level access checks are insufficient, an unauthenticated attacker can enumerate conversation message identifiers and obtain the full message body. The disclosed content can include messages tied to restricted pages, member-only areas, and the moderation queue, and file attachment download URLs may also be exposed. NVD maps the weakness to CWE-862 and lists a CVSS v4.0 score of 6.3 (MEDIUM).
Defensive priority
Medium — prioritize quickly if your Concrete CMS deployment stores private user, moderation, or attachment content in conversations.
Recommended defensive actions
- Identify Concrete CMS installations running version 9.5.0 or earlier and prioritize remediation.
- Review the vendor release notes referenced by NVD and upgrade to a patched Concrete CMS release newer than 9.5.0 as soon as possible.
- Temporarily restrict or monitor access to /ccm/frontend/conversations/message_page at the application edge if immediate patching is not feasible.
- Check logs for unusual enumeration of conversation message IDs or repeated access to the affected endpoint.
- Assume exposed conversation content and attachment download URLs may already be disclosed and review any sensitive material that could have been accessed.
Evidence notes
This debrief is based on the supplied CVE/NVD record published 2026-05-21 and the linked Concrete CMS 9.5.1 release notes reference. The corpus states that Concrete CMS 9.5.0 and below are affected, that /ccm/frontend/conversations/message_page returns the full content of any conversation message, and that unauthenticated attackers can enumerate messages from restricted pages, member-only areas, and the moderation queue while also exposing attachment download URLs. The record also assigns CWE-862 and CVSS v4.0 6.3.
Official resources
-
CVE-2026-8238 CVE record
CVE.org
-
CVE-2026-8238 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
ff5b8ace-8b95-4078-9743-eac1ca5451de
Publicly disclosed in the CVE/NVD record on 2026-05-21. The CVE description credits Tristan Madani for reporting.