CVE-2026-8428
Analyzed Analyzed - Analysis Complete
CSRF Bypass Leading to Arbitrary CMS Update in Concrete CMS

Publication date: 2026-05-21

Last updated on: 2026-05-26

Assigner: ConcreteCMS

Description
Concrete CMS 9.5.0 and below emits a CSRF token in the local_available_update.php view ($token->output('do_update')) but the corresponding do_update() method in concrete/controllers/single_page/dashboard/system/update/update.php never calls $this->token->validate('do_update'). The form is rendered as a POST form, meaning the token reaches the browser, but because the controller discards it without verification, an attacker can craft a cross-site POST that triggers a core CMS update to an attacker-specified version string.Β Β In order to be vulnerable, theictim must be passing canUpgrade()anda valid update version must be present under DIR_CORE_UPDATES.Β The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score ofΒ 7.5 with vectorΒ CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. ThanksΒ https://github.com/maru1009Β for reporting.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-26
Generated
2026-06-11
AI Q&A
2026-05-22
EPSS Evaluated
2026-06-10
NVD
CVE-2026-8428
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
concretecms concrete_cms to 9.5.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Concrete CMS version 9.5.0 and below. The system emits a CSRF token in the local_available_update.php view, but the corresponding do_update() method does not validate this token. Although the form is a POST form and the token is sent to the browser, the controller discards the token without verification. This flaw allows an attacker to craft a cross-site POST request that can trigger a core CMS update to an attacker-specified version string, potentially causing unauthorized updates.

To be vulnerable, the victim must have permission to upgrade (passing canUpgrade()) and a valid update version must be present under DIR_CORE_UPDATES.

Impact Analysis

This vulnerability can allow an attacker to perform unauthorized updates to the Concrete CMS core by exploiting the lack of CSRF token validation. This could lead to the installation of malicious or unintended versions of the CMS, potentially compromising the integrity and security of the website.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8428. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart