Medium severityNVD Advisory· Published May 21, 2026

CVE-2026-6826

Description

Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller. Any unauthenticated visitor can request /ccm/system/dialogs/file/usage/{fID} with any file ID and receive a list of every page that references that file, including page IDs, handles, and full URLs. This includes pages that are otherwise restricted by permissions.The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.9 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Eldudareeno for reporting.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Concrete CMS 9.5.0 and below exposes file usage information to unauthenticated attackers via missing permission check.

Vulnerability

Description Concrete CMS 9.5.0 and below contains a missing permission check in the usage controller, allowing unauthenticated users to access file usage information. The endpoint /ccm/system/dialogs/file/usage/{fID} does not verify authentication or authorization, enabling any visitor to query file usage.

Exploitation

An attacker can send a GET request to the vulnerable endpoint with a valid file ID. No authentication or special privileges are required. The request returns a list of pages that reference the specified file, including page IDs, handles, and full URLs.

Impact

This disclosure reveals which pages reference a given file, even if those pages are otherwise restricted by permissions. Attackers can map site structure, identify hidden or sensitive pages, and gather information for further attacks.

Mitigation

The vulnerability is fixed in Concrete CMS version 9.5.1 [1]. Users should upgrade to this version or later.

References

9.5.1 Release Notes

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Concrete5/Concretecmsinferred
Range: <=9.5.0
Concrete5/Concretellm-fuzzy
Range: <=9.5.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notesnvd

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000