CVE-2026-8417
CSRF in Concrete CMS Package Update
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: ConcreteCMS
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| concrete_cms | concrete_cms | to 9.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Concrete CMS version 9.5.0 and below. It occurs because the system does not validate a CSRF (Cross-Site Request Forgery) token before processing requests to the /dashboard/extend/update/do_update/<pkgHandle> endpoint.
The do_update() method checks only if the user can install packages (canInstallPackages()) before executing upgradeCoreData() and upgrade() on the specified package's controller. Since this endpoint is a state-changing GET route without token enforcement, an attacker can trick an authenticated administrator into triggering a package upgrade simply by making them visit a malicious link.
For the attack to succeed, the victim must have permission to install packages and the targeted package must already be installed.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to force an authenticated administrator to unknowingly upgrade a package. This could lead to unauthorized changes in the system, potentially introducing malicious code or destabilizing the CMS.
Because the attack exploits a state-changing GET request without proper CSRF protection, it can be triggered via a single cross-site navigation, making it easier for attackers to exploit.