Unknown · Concrete Cms · CVE-2026-6826
**Name of the Vulnerable Software and Affected Versions**
Concrete CMS versions 9.5.0 and earlier
**Description**
An issue exists where a missing permission check in the usage controller allows unauthenticated visitors to disclose file usage information. By requesting the endpoint '/ccm/system/dialogs/file/usage/{fID}' using any file ID via the `fID` variable, an attacker can obtain a list of every page referencing that file, including page IDs, handles, and full URLs. This disclosure includes pages that are otherwise restricted by permissions.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.