CVE-2026-7886

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.1

Description An Insecure Direct Object Reference (IDOR) exists in the 'AddMessage' and 'UpdateMessage' conversation controllers. These controllers accept user-supplied file attachment IDs through the attachments[] parameter and load files using the find(File::class, $attachmentID) function without verifying per-file permissions via canViewFile(). This allows a user with permission to post in any conversation to reference any file in the CMS file manager by its sequential ID, bypassing the file permission system.

Recommendations Update to a version newer than 9.5.0. Set up a private storage location outside of the webroot for private files to ensure permissions are checked during viewing.