CVE-2026-6826 | THREATINT

Description

Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller. Any unauthenticated visitor can request /ccm/system/dialogs/file/usage/{fID} with any file ID and receive a list of every page that references that file, including page IDs, handles, and full URLs. This includes pages that are otherwise restricted by permissions.The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.9 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Eldudareeno for reporting.

PUBLISHED Reserved 2026-04-21 | Published 2026-05-21 | Updated 2026-05-21 | Assigner ConcreteCMS

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-200

Product status

Default status

unaffected

5.0 (git)

affected

Credits

Eldudarino Trinsec reporter

References

documentation.concretecms.org/...n-history/951-release-notes release-notes

cve.org (CVE-2026-6826)

nvd.nist.gov (CVE-2026-6826)

Download JSON