CVE-2026-7879 MEDIUM

CVE-2026-7879: Concrete CMS 9.5.0 and below is vulnerable to File Download Authorization Bypass in submit_password()

Vendor Concrete Cms
Product Concrete CMS
Weakness CWE-862 · Missing authorization
Published May 21, 2026
Last update May 22, 2026
View on NVD All CVEs

CVSS base score

6.3/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

In Concrete CMS 9.5.0 and below,  the submit_password() method in concrete/controllers/single_page/download_file.php allows unauthorized file access since downloading permission-restricted files bypasses the view_file permission check. Files without passwords can be downloaded and any user who knows a file's password can download a password protected file regardless of whether they have permission to access the file. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N.  Thanks Youssef Eid for reporting

Key dates

02Disclosure timeline

May 21, 2026 CVE published
May 22, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-22486 WordPress Re Gallery plugin <= 1.18.9 - Broken Access Control vulnerability CVE-2026-1942 Blog2Social: Social Media Auto Post & Scheduler <= 8.7.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Modification CVE-2025-50009 WordPress Kata Plus plugin <= 1.5.3 - Broken Access Control Vulnerability CVE-2024-32828 WordPress Table Rate Shipping Method for WooCommerce by Flexible Shipping plugin <= 4.24.15 - Broken Access Control vulnerability CVE-2026-35063 Missing Authorization in OpenPLC_V3