CVE-2026-8240

Root

Cause

Concrete CMS versions 9.5.0 and below contain a vulnerability in page metadata disclosure affecting all pages that have a configured summary template. The flaw allows unauthenticated users to retrieve metadata such as title, path, description, and author from pages that should be restricted — including private, draft, and hidden pages. The root cause is that the summary template logic does not enforce access control checks before rendering page metadata [1].

Attack

Vector

The attack is over the network with low complexity, but requires the target page to have an active summary template configured. The attacker does not need any authentication or user interaction (AV:N/AC:L/PR:N/UI:N). The attack requires partial knowledge of the application's page structure (AT:P) [1]. By simply requesting the summary template endpoint for arbitrary page IDs or paths, an unauthenticated user can enumerate private pages and learn their existence, titles, paths, descriptions, and authors.

Impact

A successful exploit yields low confidentiality impact (VC:L) but no integrity or availability impact (VI:N/VA:N). The attacker learns the existence and metadata of restricted pages, which could aid in further attack planning or information gathering. The vulnerability does not expose page content or allow modification [1].

Mitigation

The Concrete CMS security team has assigned this issue a CVSS v4.0 score of 6.3 (Medium) and credits reporter Winston Crooker. The fix was released in Concrete CMS version 9.5.1, which includes a behavioral improvement that prevents moving or copying system pages (e.g., Dashboard pages) and other access control hardening, though the release notes do not explicitly mention this specific vulnerability in the listed fixes [1]. Users should upgrade to 9.5.1 or later to remediate the issue.