CVE-2026-8238 MEDIUM

CVE-2026-8238: Concrete CMS 9.5.0 and below is vulnerable to IDOR in '/ccm/frontend/conversations/message_page' allowing unauthenticated read of any conversation message

Vendor Concrete Cms
Product Concrete CMS
Weakness CWE-862 · Missing authorization
Published May 21, 2026
Last update May 22, 2026

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/message_page' endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and the moderation queue. File attachments with download URLs are also exposed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Madani for reporting.

Key dates

02Disclosure timeline

May 21, 2026 CVE published
May 22, 2026 Record updated