CVE-2026-8428
CSRF Bypass Leading to Arbitrary CMS Update in Concrete CMS
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: ConcreteCMS
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| concrete5 | concrete_cms | to 9.5.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-829 | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Concrete CMS version 9.5.0 and below. The system emits a CSRF token in the local_available_update.php view, but the corresponding do_update() method does not validate this token. Although the form is a POST form and the token is sent to the browser, the controller discards the token without verification. This flaw allows an attacker to craft a cross-site POST request that can trigger a core CMS update to an attacker-specified version string, potentially causing unauthorized updates.
To be vulnerable, the victim must have permission to upgrade (passing canUpgrade()) and a valid update version must be present under DIR_CORE_UPDATES.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to perform unauthorized updates to the Concrete CMS core by exploiting the lack of CSRF token validation. This could lead to the installation of malicious or unintended versions of the CMS, potentially compromising the integrity and security of the website.