Unauthenticated File Usage Disclosure in Concrete CMS by Concrete5
CVE-2026-6826

6.9MEDIUM

Key Information:

Vendor: Concrete Cms
Status: Concrete Cms
Vendor: CVE Published:; 21 May 2026

🔔 Create Concrete Cms Vulnerability Alert

What is CVE-2026-6826?

Concrete CMS version 9.5.0 and earlier features a vulnerability that allows unauthenticated users to access sensitive information related to file usage. Due to a missing permission check in the usage controller, an attacker can exploit this flaw by requesting specific endpoints using the file ID. This request returns a list of pages referencing the given file, revealing critical details such as page IDs and URLs, potentially compromising the privacy of restricted pages. Website administrators should urgently apply recommended patches to mitigate this flaw and secure their installation.

Affected Version(s)

Concrete CMS 5.0 <= 9.5.0

References

https://documentation.concretecms.org/9-x/developers/intr...

release-notes

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 21, 2026
Vulnerability Reserved
Apr 21, 2026

Credit

Eldudarino Trinsec

CVE-2026-6826 Data

JSON