Unauthorized File Access in Concrete CMS by Concrete Five
CVE-2026-7879

6.3MEDIUM

Key Information:

Vendor: Concrete Cms
Status: Concrete Cms
Vendor: CVE Published:; 21 May 2026

🔔 Create Concrete Cms Vulnerability Alert

What is CVE-2026-7879?

In versions of Concrete CMS up to 9.5.0, a flaw in the submit_password() method located in concrete/controllers/single_page/download_file.php allows unauthorized access to files. This vulnerability circumvents the view_file permission check, enabling any user to download files even if access is restricted by permissions. Furthermore, files that require a password can be downloaded by any user who knows the password, irrespective of their permission status, presenting significant security risks.

Affected Version(s)

Concrete CMS 5.0 <= 9.5.0

References

https://documentation.concretecms.org/9-x/developers/intr...

release-notes

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 21, 2026
Vulnerability Reserved
May 5, 2026

Credit

Youssef Eid

CVE-2026-7879 Data

JSON