{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7886", "assignerOrgId": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "state": "PUBLISHED", "assignerShortName": "ConcreteCMS", "dateReserved": "2026-05-05T19:31:00.289Z", "datePublished": "2026-05-21T21:18:39.754Z", "dateUpdated": "2026-05-21T21:18:39.754Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "shortName": "ConcreteCMS", "dateUpdated": "2026-05-21T21:18:39.754Z"}, "title": "Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-639", "description": "CWE-639 Authorization bypass through User-Controlled key", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "affected": [{"vendor": "Concrete CMS", "product": "Concrete CMS", "collectionURL": "https://github.com/concretecms/concretecms", "repo": "https://github.com/concretecms/concretecms", "versions": [{"status": "affected", "version": "5.0", "lessThanOrEqual": "9.5.0", "versionType": "git"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Concrete CMS 9.5.0 and below is vulnerable to\u00a0IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass.\u00a0The `AddMessage` and `UpdateMessage` conversation controllers accept user-supplied file attachment IDs and load files directly via `$em->find(File::class, $attachmentID)` without checking per-file permissions (`canViewFile()`). A user who can post in any conversation can reference any file in the CMS file manager by its sequential ID, effectively bypassing the file permission system.\u00a0 The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of\u00a02.3 with a vector\u00a0CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N.\u00a0Thanks Tristan Mandani for reporting.\u00a0if a site truly has private files, the owner should set up a private storage location https://documentation.concretecms.org/user-guide/editors-reference/dashboard/system-and-maintenance/files/file-storage-locations outside of the webroot so that permissions can be checked on view as well. That way, even if a authorized user attaches a file, or otherwise links to it, unauthorized users won't be able to view the file.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Concrete CMS 9.5.0 and below is vulnerable to&nbsp;IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass.&nbsp;The `AddMessage` and `UpdateMessage` conversation controllers accept user-supplied file attachment IDs and load files directly via `$em-&gt;find(File::class, $attachmentID)` without checking per-file permissions (`canViewFile()`). A user who can post in any conversation can reference any file in the CMS file manager by its sequential ID, effectively bypassing the file permission system.&nbsp; The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of&nbsp;2.3 with a vector&nbsp;CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N.&nbsp;<span>Thanks Tristan Mandani for reporting.&nbsp;</span><div><em>if a site truly has private files, the owner should set up a </em><a title=\"https://documentation.concretecms.org/user-guide/editors-reference/dashboard/system-and-maintenance/files/file-storage-locations\" href=\"https://documentation.concretecms.org/user-guide/editors-reference/dashboard/system-and-maintenance/files/file-storage-locations\"><em>private storage location</em></a><em> outside of the webroot so that permissions can be checked on view as well. That way, even if a authorized user attaches a file, or otherwise links to it, unauthorized users won't be able to view the file.</em><br><div><div><div><div><div></div></div></div></div><div></div></div><div><div></div></div><br></div>"}]}], "references": [{"url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes", "tags": ["release-notes"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "LOW", "baseScore": 2.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Tristan Mandani", "type": "finder"}], "source": {"defect": ["HackerOne"], "advisory": "https://hackerone.com/reports/3626635", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}}}

{}

{}

{}

{}