Description
Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks z3rco for reporting
Published: 2026-03-04
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: CSRF that permits a rogue administrator to modify the Anti‑Spam Allowlist Group before CSRF validation
Action: Apply Patch
AI Analysis

Impact

The vulnerability occurs when an administrator supplies the group_id parameter to edit the Anti‑Spam Allowlist Group configuration. The system writes those changes before verifying the CSRF token, allowing the authenticated admin to alter spam filtering settings without the expected CSRF protection. The weakness is a low‑severity CSRF flaw identified as CWE‑352.

Affected Systems

All Concrete CMS installations using a version prior to 9.4.8 are affected. There are no stated platform or operating system restrictions; any environment that permits administrative access to the CMS is vulnerable until the patch is applied. The affected functionality is the Anti‑Spam Allowlist Group configuration.

Risk and Exploitability

The CVSS v4.0 score of 2.3 indicates a low impact, and the EPSS score of under 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. An attacker must first authenticate as an administrator to take advantage of the flaw; they can then change the anti‑spam group settings before the CSRF token is validated. While no public exploit is currently known, the flaw remains active and could permit unauthorized modification of spam filtering rules.

Generated by OpenCVE AI on April 17, 2026 at 13:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Concrete CMS to version 9.4.8 or newer, which ensures that CSRF validation occurs before saving configuration changes.
  • If an immediate upgrade is not possible, restrict or remove administrator access to the Anti‑Spam Allowlist Group configuration page and/or disable the feature until the patch is deployed.
  • Enable logging and alerting of configuration changes, and conduct regular audits of administrator activity to detect any unauthorized modifications.

Generated by OpenCVE AI on April 17, 2026 at 13:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6mxw-2vhf-42g5 Concrete CMS vulnerable to Cross-Site Request Forgery (CSRF)
History

Wed, 04 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H'}

Wed, 04 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Wed, 04 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks z3rco for reporting
Title Concrete CMS below 9.4.8 is vulnerable to CSRF by a Rogue Admin using the Anti-Spam Allowlist Group
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-03-04T15:05:06.451Z

Reserved: 2026-02-22T21:54:25.204Z

Link: CVE-2026-2994

cve-icon Vulnrichment

Updated: 2026-03-04T15:05:00.725Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T03:16:04.380

Modified: 2026-03-04T21:35:06.167

Link: CVE-2026-2994

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:15:19Z

Weaknesses