Listen to this Post
How the CVE works
The vulnerability exists in Concrete CMS versions 9.5.0 and below due to a missing permission check in the file usage controller. The endpoint `/ccm/system/dialogs/file/usage/{fID}` is accessible without any authentication. An unauthenticated attacker can replace `{fID}` with any numeric file ID present on the target system. The controller fails to verify whether the requesting user has rights to view the file or associated page metadata. Upon a valid request, the application returns a JSON response containing a list of all pages that reference that specific file. This disclosure includes page IDs (cID), page handles, and full URLs. The leak extends to pages that are otherwise restricted by permissions (e.g., private drafts, admin-only sections). No CSRF token or rate limiting is applied to this endpoint. The attack requires no privileges, user interaction, or complex preconditions. It can be performed over the network with low complexity. The only requirement is knowledge of a valid file ID, which can be guessed or enumerated due to sequential IDs. The Concrete CMS security team assigned a CVSS v4.0 score of 6.9 (Medium). The vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. The vulnerability was reported by Eldudareeno. NVD published the entry on May 21, 2026, with last modification on May 26, 2026. The issue stems from CWE-862 (Missing Authorization). No public exploit or patch was available at the time of disclosure. The usage controller should have checked `canViewFile` permissions before returning page references.
DailyCVE Form
Platform: Concrete CMS
Version: 9.5.0 below
Vulnerability: Unauthenticated file disclosure
Severity: Medium (6.9)
date: 2026-05-21
Prediction: Patch within 2 weeks (2026-06-04)
Analytics
What Undercode Say:
Enumerate file IDs by brute force (1-1000)
for fID in {1..1000}; do
curl -s "https://target.com/ccm/system/dialogs/file/usage/$fID" | jq '.' && echo "File $fID leaked"
done
Extract all URLs from a single file ID response
curl -s "https://target.com/ccm/system/dialogs/file/usage/42" | jq '.pages[].url'
Batch check with parallel
seq 1 1000 | parallel -j50 'curl -s "https://target.com/ccm/system/dialogs/file/usage/{}" | grep -q "pageId" && echo "Vulnerable file: {}"'
Exploit:
Unauthenticated GET request to `/ccm/system/dialogs/file/usage/123` returns JSON with {"pages":[{"pageId":5,"handle":"private","url":"https://target.com/private-page"}]}. Attackers can iterate file IDs to map all page references, exposing hidden or restricted content locations.
Protection from this CVE
Upgrade to Concrete CMS 9.5.1 or later (when released). Apply patch that adds `$file->canViewFile()` check in concrete/controllers/panel/detail/file/usage.php. Block `/ccm/system/dialogs/file/usage/` via WAF or .htaccess for unauthenticated users. Implement rate limiting and randomize file IDs.
Impact
Information disclosure of internal page metadata, including IDs, handles, and URLs of restricted/private pages. Attackers can map site structure, identify high-value pages, and plan further attacks. No direct file content disclosure, but exposure of page relationships undermines access controls.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

