Vulnerability Description
Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller. Any unauthenticated visitor can request /ccm/system/dialogs/file/usage/{fID} with any file ID and receive a list of every page that references that file, including page IDs, handles, and full URLs. This includes pages that are otherwise restricted by permissions.The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.9 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Eldudareeno for reporting.
Related Weaknesses (CWE)
References
FAQ
What is CVE-2026-6826?
CVE-2026-6826 is a documented vulnerability. Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller. Any unauthenticated visitor can request /ccm/system/dialogs/...
How severe is CVE-2026-6826?
CVSS scoring is not yet available for CVE-2026-6826. Check NVD for updates.
Is there a patch for CVE-2026-6826?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.