CVE-2026-7879

Concrete CMS 9.5.0 and below is vulnerable to File Download Authorization Bypass in submit_password()

Assigner: ConcreteCMS
Reserved: 05.05.2026 Published: 21.05.2026 Updated: 22.05.2026

In Concrete CMS 9.5.0 and below, the submit_password() method in concrete/controllers/single_page/download_file.php allows unauthorized file access since downloading permission-restricted files bypasses the view_file permission check. Files without passwords can be downloaded and any user who knows a file's password can download a password protected file regardless of whether they have permission to access the file. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Youssef Eid for reporting

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 6.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	High	Integrity	None	Integrity	None
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Concrete CMS
Product	Concrete CMS
Versions	Default: unaffected affected from 5.0 to 9.5.0 (incl.)

Vendor

Concrete CMS

Product

Concrete CMS

Versions

Default: unaffected

affected from 5.0 to 9.5.0 (incl.)

Credits

Youssef Eid finder

References

Problem Types

CWE-862 CWE

Impacts

CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs