QSearchQSearch

CVE-2026-7886

Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permiss...

Published: 2026-05-21 · Last updated: 2026-05-21

Severity and scoring

CWE
CWE-639

Description

Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass. The `AddMessage` and `UpdateMessage` conversation controllers accept user-supplied file attachment IDs and load files directly via `$em->find(File::class, $attachmentID)` without checking per-file permissions (`canViewFile()`). A user who can post in any conversation can reference any file in the CMS file manager by its sequential ID, effectively bypassing the file permission system.  The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with a vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Mandani for reporting. if a site truly has private files, the owner should set up a private storage location https://documentation.concretecms.org/user-guide/editors-reference/dashboard/system-and-maintenance/files/file-storage-locations outside of the webroot so that permissions can be checked on view as well. That way, even if a authorized user attaches a file, or otherwise links to it, unauthorized users won't be able to view the file.

Source: NVD

References

Related CVEs

Same CWE

  • CVE-2026-53863 OpenClaw before 2026.4.25 contains an input validation vulnerability in tool group policy callers that accept unvalidated group IDs (7.1 HIGH)
  • CVE-2026-10780 The Static Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2 (4.3 MEDIUM)
  • CVE-2026-48599 Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify res...
  • CVE-2026-52699 Unauthenticated Insecure Direct Object References (IDOR) in VikRentCar <= 1.4.5 versions (7.5 HIGH)
  • CVE-2026-48872 Unauthenticated Sensitive Data Exposure in EmbedPress <= 4.5.2 versions (7.5 HIGH)