CVE-2026-8140
CSRF to Arbitrary Package Download in Concrete CMS
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: ConcreteCMS
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| concrete_cms | concrete_cms | to 9.5.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Concrete CMS version 9.5.0 and below. It occurs because the system does not validate a CSRF (Cross-Site Request Forgery) token before processing requests to the download endpoint for marketplace packages. Specifically, the download() method only checks if the user has permission to install packages but does not enforce token validation. Because the endpoint is a state-changing GET route without token enforcement, an attacker can trick an authenticated administrator into visiting a malicious page that forces the download of an arbitrary marketplace package to the server.
To be vulnerable, the administrator must have the canInstallPackages() permission and the site must be connected to the Concrete marketplace.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to force the download of arbitrary marketplace packages onto the server without proper authorization. This could lead to unauthorized code or software being installed, potentially compromising the integrity and security of the server and the CMS installation.