CVE-2026-6826
published 2026-05-21CVE-2026-6826: Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller. Any unauthenticated…
PriorityP431medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.25%
16.2th percentile
Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller. Any unauthenticated visitor can request /ccm/system/dialogs/file/usage/{fID} with any file ID and receive a list of every page that references that file, including page IDs, handles, and full URLs. This includes pages that are otherwise restricted by permissions.The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.9 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Eldudareeno for reporting.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| concrete5 | concrete5 | >= 0 < 9.5.1 | 9.5.1 |
| concrete_cms | concrete_cms | 5.0 – 9.5.0 | — |
| concretecms | concrete_cms | < 9.5.1 | 9.5.1 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Concrete CMS up to 9.5.0 usage information disclosure (CNNVD-202605-4658)
vuldb·2026-05-23·CVSS 6.9
CVE-2026-6826 [MEDIUM] Concrete CMS up to 9.5.0 usage information disclosure (CNNVD-202605-4658)
A vulnerability was found in Concrete CMS up to 9.5.0. It has been rated as problematic. The affected element is an unknown function of the file /ccm/system/dialogs/file/usage/. Performing a manipulation results in information disclosure.
This vulnerability is known as CVE-2026-6826. Remote exploitation of the attack is possible. No exploit is available.
GHSA
GHSA-4g7q-44qp-cc5c: Concrete CMS 9
ghsa_unreviewed·2026-05-21
CVE-2026-6826 [MEDIUM] CWE-200 GHSA-4g7q-44qp-cc5c: Concrete CMS 9
Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller. Any unauthenticated visitor can request /ccm/system/dialogs/file/usage/{fID} with any file ID and receive a list of every page that references that file, including page IDs, handles, and full URLs. This includes pages that are otherwise restricted by permissions.The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.9 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Eldudareeno for reporting.
GHSA
Concrete CMS is vulnerable to unauthenticated file usage disclosure
ghsa·2026-05-21
CVE-2026-6826 [MEDIUM] CWE-200 Concrete CMS is vulnerable to unauthenticated file usage disclosure
Concrete CMS is vulnerable to unauthenticated file usage disclosure
Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller. Any unauthenticated visitor can request /ccm/system/dialogs/file/usage/{fID} with any file ID and receive a list of every page that references that file, including page IDs, handles, and full URLs. This includes pages that are otherwise restricted by permissions. Concrete CMS thanks Eldudareeno for reporting this issue.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-21
Published