CVE-2026-7882
Concrete CMS Unauthorized File Deletion via Inverted CSRF Check
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: ConcreteCMS
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| concrete_cms | concrete_cms | to 9.5.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
Concrete CMS version 9.5.0 and below has a vulnerability in its DeleteFile controller caused by an inverted CSRF token check. Instead of preventing unauthorized actions when the CSRF token is invalid or missing, the code erroneously throws an error when the token is valid and proceeds with file deletion when the token is invalid or missing. This flaw disables CSRF protection for the file deletion endpoint.
As a result, attackers can perform cross-site request forgery (CSRF) attacks to delete files without proper authorization, targeting users who have permission to edit conversation messages.
How can this vulnerability impact me? :
This vulnerability allows attackers to delete files without proper authorization by exploiting the disabled CSRF protection on the file deletion endpoint.
If you are a user with permission to edit conversation messages, an attacker could trick you into unknowingly deleting files, potentially leading to data loss or disruption of service.