CVE-2026-8204
Description
Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot point to access private calendar data. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Concrete CMS 9.5.0 and below has an authorization bypass in the Calendar Event Frontend Dialog, allowing cross-calendar data disclosure via a public calendar block.
Concrete CMS 9.5.0 and below is vulnerable to an authorization bypass in the Calendar Event Frontend Dialog. The root cause is insufficient access control checks when the dialog is invoked, allowing a public calendar block to be used as a pivot point to access private calendar data [1].
Exploitation requires no authentication, but the attacker must be able to interact with a public calendar block on a Concrete CMS site. The attack complexity is low, though certain prerequisites (AT:P) are needed according to the CVSS vector [1].
The impact is limited to low confidentiality (VC:L), meaning an attacker could discover private calendar event details. No integrity or availability impact exists [1].
The vulnerability is fixed in Concrete CMS version 9.5.1. Users are advised to upgrade to this or later versions. No workarounds have been provided [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=9.5.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.