CVE-2026-8236

Name of the Vulnerable Software and Affected Versions Concrete CMS versions 9.5.0 and earlier

Description An Insecure Direct Object Reference (IDOR), which occurs when an application provides direct access to objects based on user-supplied input, combined with a missing authentication gate allows unauthorized users to retrieve internal site structure data. By sending a GET request to the endpoint '/ccm/system/dialogs/file/usage/{fID}', an attacker can use the fID variable to obtain page IDs, versions, and URL paths.

Recommendations Update to a version later than 9.5.0. As a temporary workaround, restrict access to the '/ccm/system/dialogs/file/usage/{fID}' endpoint to minimize the risk of exploitation.