CVE-2026-7886 (GCVE-0-2026-7886)

Vulnerability from cvelistv5 – Published: 2026-05-21 21:18 – Updated: 2026-05-22 13:12
VLAI
Title
Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter
Summary
Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass. The `AddMessage` and `UpdateMessage` conversation controllers accept user-supplied file attachment IDs and load files directly via `$em->find(File::class, $attachmentID)` without checking per-file permissions (`canViewFile()`). A user who can post in any conversation can reference any file in the CMS file manager by its sequential ID, effectively bypassing the file permission system.  The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with a vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Mandani for reporting. if a site truly has private files, the owner should set up a private storage location https://documentation.concretecms.org/user-guide/editors-reference/dashboard/system-and-maintenance/files/file-storage-locations outside of the webroot so that permissions can be checked on view as well. That way, even if a authorized user attaches a file, or otherwise links to it, unauthorized users won't be able to view the file.
Severity
2.3 (Low)
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CWE
  • CWE-639 - Authorization bypass through User-Controlled key
Assigner
References
Impacted products
Vendor Product Version
Concrete CMS Concrete CMS Affected: 5.0 , ≤ 9.5.0 (git)
Create a notification for this product.
Credits
Tristan Mandani
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-7886",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T13:11:53.038446Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T13:12:00.371Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/concretecms/concretecms",
          "defaultStatus": "unaffected",
          "product": "Concrete CMS",
          "repo": "https://github.com/concretecms/concretecms",
          "vendor": "Concrete CMS",
          "versions": [
            {
              "lessThanOrEqual": "9.5.0",
              "status": "affected",
              "version": "5.0",
              "versionType": "git"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Tristan Mandani"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Concrete CMS 9.5.0 and below is vulnerable to\u0026nbsp;IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass.\u0026nbsp;The `AddMessage` and `UpdateMessage` conversation controllers accept user-supplied file attachment IDs and load files directly via `$em-\u0026gt;find(File::class, $attachmentID)` without checking per-file permissions (`canViewFile()`). A user who can post in any conversation can reference any file in the CMS file manager by its sequential ID, effectively bypassing the file permission system.\u0026nbsp; The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of\u0026nbsp;2.3 with a vector\u0026nbsp;CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N.\u0026nbsp;\u003cspan\u003eThanks Tristan Mandani for reporting.\u0026nbsp;\u003c/span\u003e\u003cdiv\u003e\u003cem\u003eif a site truly has private files, the owner should set up a \u003c/em\u003e\u003ca title=\"https://documentation.concretecms.org/user-guide/editors-reference/dashboard/system-and-maintenance/files/file-storage-locations\" href=\"https://documentation.concretecms.org/user-guide/editors-reference/dashboard/system-and-maintenance/files/file-storage-locations\"\u003e\u003cem\u003eprivate storage location\u003c/em\u003e\u003c/a\u003e\u003cem\u003e outside of the webroot so that permissions can be checked on view as well. That way, even if a authorized user attaches a file, or otherwise links to it, unauthorized users won\u0027t be able to view the file.\u003c/em\u003e\u003cbr\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003c/div\u003e\u003c/div\u003e\u003cbr\u003e\u003c/div\u003e"
            }
          ],
          "value": "Concrete CMS 9.5.0 and below is vulnerable to\u00a0IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass.\u00a0The `AddMessage` and `UpdateMessage` conversation controllers accept user-supplied file attachment IDs and load files directly via `$em-\u003efind(File::class, $attachmentID)` without checking per-file permissions (`canViewFile()`). A user who can post in any conversation can reference any file in the CMS file manager by its sequential ID, effectively bypassing the file permission system.\u00a0 The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of\u00a02.3 with a vector\u00a0CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N.\u00a0Thanks Tristan Mandani for reporting.\u00a0if a site truly has private files, the owner should set up a  private storage location https://documentation.concretecms.org/user-guide/editors-reference/dashboard/system-and-maintenance/files/file-storage-locations  outside of the webroot so that permissions can be checked on view as well. That way, even if a authorized user attaches a file, or otherwise links to it, unauthorized users won\u0027t be able to view the file."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-1",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization bypass through User-Controlled key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-21T21:18:39.754Z",
        "orgId": "ff5b8ace-8b95-4078-9743-eac1ca5451de",
        "shortName": "ConcreteCMS"
      },
      "references": [
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes"
        }
      ],
      "source": {
        "advisory": "https://hackerone.com/reports/3626635",
        "defect": [
          "HackerOne"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ff5b8ace-8b95-4078-9743-eac1ca5451de",
    "assignerShortName": "ConcreteCMS",
    "cveId": "CVE-2026-7886",
    "datePublished": "2026-05-21T21:18:39.754Z",
    "dateReserved": "2026-05-05T19:31:00.289Z",
    "dateUpdated": "2026-05-22T13:12:00.371Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-7886",
      "date": "2026-05-28",
      "epss": "0.00017",
      "percentile": "0.0442"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-7886\",\"sourceIdentifier\":\"ff5b8ace-8b95-4078-9743-eac1ca5451de\",\"published\":\"2026-05-21T22:16:49.140\",\"lastModified\":\"2026-05-21T22:16:49.140\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Concrete CMS 9.5.0 and below is vulnerable to\u00a0IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass.\u00a0The `AddMessage` and `UpdateMessage` conversation controllers accept user-supplied file attachment IDs and load files directly via `$em-\u003efind(File::class, $attachmentID)` without checking per-file permissions (`canViewFile()`). A user who can post in any conversation can reference any file in the CMS file manager by its sequential ID, effectively bypassing the file permission system.\u00a0 The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of\u00a02.3 with a vector\u00a0CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N.\u00a0Thanks Tristan Mandani for reporting.\u00a0if a site truly has private files, the owner should set up a  private storage location https://documentation.concretecms.org/user-guide/editors-reference/dashboard/system-and-maintenance/files/file-storage-locations  outside of the webroot so that permissions can be checked on view as well. That way, even if a authorized user attaches a file, or otherwise links to it, unauthorized users won\u0027t be able to view the file.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"ff5b8ace-8b95-4078-9743-eac1ca5451de\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":2.3,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"ff5b8ace-8b95-4078-9743-eac1ca5451de\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"references\":[{\"url\":\"https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes\",\"source\":\"ff5b8ace-8b95-4078-9743-eac1ca5451de\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-7886\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-22T13:11:53.038446Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-22T13:11:56.575Z\"}}], \"cna\": {\"title\": \"Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter\", \"source\": {\"defect\": [\"HackerOne\"], \"advisory\": \"https://hackerone.com/reports/3626635\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Tristan Mandani\"}], \"impacts\": [{\"capecId\": \"CAPEC-1\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 2.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/concretecms/concretecms\", \"vendor\": \"Concrete CMS\", \"product\": \"Concrete CMS\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.0\", \"versionType\": \"git\", \"lessThanOrEqual\": \"9.5.0\"}], \"collectionURL\": \"https://github.com/concretecms/concretecms\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes\", \"tags\": [\"release-notes\"]}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.2\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Concrete CMS 9.5.0 and below is vulnerable to\\u00a0IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass.\\u00a0The `AddMessage` and `UpdateMessage` conversation controllers accept user-supplied file attachment IDs and load files directly via `$em-\u003efind(File::class, $attachmentID)` without checking per-file permissions (`canViewFile()`). A user who can post in any conversation can reference any file in the CMS file manager by its sequential ID, effectively bypassing the file permission system.\\u00a0 The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of\\u00a02.3 with a vector\\u00a0CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N.\\u00a0Thanks Tristan Mandani for reporting.\\u00a0if a site truly has private files, the owner should set up a  private storage location https://documentation.concretecms.org/user-guide/editors-reference/dashboard/system-and-maintenance/files/file-storage-locations  outside of the webroot so that permissions can be checked on view as well. That way, even if a authorized user attaches a file, or otherwise links to it, unauthorized users won\u0027t be able to view the file.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Concrete CMS 9.5.0 and below is vulnerable to\u0026nbsp;IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass.\u0026nbsp;The `AddMessage` and `UpdateMessage` conversation controllers accept user-supplied file attachment IDs and load files directly via `$em-\u0026gt;find(File::class, $attachmentID)` without checking per-file permissions (`canViewFile()`). A user who can post in any conversation can reference any file in the CMS file manager by its sequential ID, effectively bypassing the file permission system.\u0026nbsp; The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of\u0026nbsp;2.3 with a vector\u0026nbsp;CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N.\u0026nbsp;\u003cspan\u003eThanks Tristan Mandani for reporting.\u0026nbsp;\u003c/span\u003e\u003cdiv\u003e\u003cem\u003eif a site truly has private files, the owner should set up a \u003c/em\u003e\u003ca title=\\\"https://documentation.concretecms.org/user-guide/editors-reference/dashboard/system-and-maintenance/files/file-storage-locations\\\" href=\\\"https://documentation.concretecms.org/user-guide/editors-reference/dashboard/system-and-maintenance/files/file-storage-locations\\\"\u003e\u003cem\u003eprivate storage location\u003c/em\u003e\u003c/a\u003e\u003cem\u003e outside of the webroot so that permissions can be checked on view as well. That way, even if a authorized user attaches a file, or otherwise links to it, unauthorized users won\u0027t be able to view the file.\u003c/em\u003e\u003cbr\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003c/div\u003e\u003c/div\u003e\u003cbr\u003e\u003c/div\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639 Authorization bypass through User-Controlled key\"}]}], \"providerMetadata\": {\"orgId\": \"ff5b8ace-8b95-4078-9743-eac1ca5451de\", \"shortName\": \"ConcreteCMS\", \"dateUpdated\": \"2026-05-21T21:18:39.754Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-7886\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-22T13:12:00.371Z\", \"dateReserved\": \"2026-05-05T19:31:00.289Z\", \"assignerOrgId\": \"ff5b8ace-8b95-4078-9743-eac1ca5451de\", \"datePublished\": \"2026-05-21T21:18:39.754Z\", \"assignerShortName\": \"ConcreteCMS\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.