VYPR
← All advisories
Medium severityNVD Advisory· Published May 21, 2026

CVE-2026-8205

CVE-2026-8205

Description

Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which results in restricted event details being disclosed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks lalalala5678 for reporting.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Concrete CMS 9.5.0 and below allows unauthorized disclosure of restricted event details via Calendar Block due to missing access control.

Vulnerability

An authorization bypass vulnerability exists in the Calendar Block of Concrete CMS version 9.5.0 and earlier. The action_get_events method does not check the canView permission on the calendar, allowing unauthenticated or unauthorized users to retrieve event details that should be restricted. This issue was reported by lalalala5678 and is addressed in version 9.5.1 [1].

Exploitation

Exploitation requires network access with some attack presence (AT:P), but no privileges or user interaction. An attacker can craft a request to the vulnerable action to retrieve event data without authentication. The attack complexity is low (L), and the vector is network-based (N), making it remotely exploitable.

Impact

The impact is limited to disclosure of confidential event details (VC:L). There is no integrity or availability impact. However, this could expose sensitive meeting information or private calendar entries. The CVSS v4.0 score is 6.3 (Medium).

Mitigation

The fix is included in Concrete CMS version 9.5.1, which adds proper permission checks. Users are strongly recommended to upgrade to the latest version. No workarounds are mentioned in the release notes.

References
  1. 9.5.1 Release Notes

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.