Vulnerability Description
In Concrete CMS 9.5.0 and below, the submit_password() method in concrete/controllers/single_page/download_file.php allows unauthorized file access since downloading permission-restricted files bypasses the view_file permission check. Files without passwords can be downloaded and any user who knows a file's password can download a password protected file regardless of whether they have permission to access the file. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Youssef Eid for reporting
Related Weaknesses (CWE)
References
FAQ
What is CVE-2026-7879?
CVE-2026-7879 is a documented vulnerability. In Concrete CMS 9.5.0 and below, the submit_password() method in concrete/controllers/single_page/download_file.php allows unauthorized file access since downloading permission-restricted files bypas...
How severe is CVE-2026-7879?
CVSS scoring is not yet available for CVE-2026-7879. Check NVD for updates.
Is there a patch for CVE-2026-7879?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.