Description
Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/download/<remoteId>. The download() method in concrete/controllers/single_page/dashboard/extend/install.php checks only the canInstallPackages() permission before fetching a remote marketplace package and writing it to the server's DIR_PACKAGES directory. Because the endpoint is a state-changing GET route with no token enforcement, an attacker who can cause an authenticated administrator to visit a crafted page can force an arbitrary marketplace package to be downloaded. In order to be vulnerable, the victim must be passing canInstallPackages() and the site must be connected to the Concrete marketplace. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks  https://github.com/maru1009  for reporting.
Published: 2026-05-21
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS versions 9.5.0 and earlier contain a CSRF flaw in the package download endpoint. The download() method forces an authenticated administrator with canInstallPackages permission to retrieve any remote marketplace package without checking a CSRF token. If an attacker can lure an admin to open a crafted link, the server will download and store a malicious package, potentially leading to remote code execution or higher privilege on the site.

Affected Systems

Concrete CMS 9.5.0 and all prior releases are affected. The issue is exploitable only on sites that are connected to the Concrete marketplace and where the user holds the canInstallPackages permission. Administrators of these versions must verify whether their installation is up to date and promptly apply any updates that remove the vulnerable endpoint.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, but no EPSS data is available and the vulnerability is not listed in CISA’s KEV catalog. The flaw is a state‑changing GET request that relies on CSRF, so a phishing or drive‑by technique is the likely attack vector. Since exploitation requires an authenticated admin and marketplace connectivity, the risk is confined to sites with active admin accounts that use the marketplace. Nevertheless, an attacker can trigger arbitrary package downloads, which can compromise the entire application if the downloaded package contains malicious code.

Generated by OpenCVE AI on May 21, 2026 at 22:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Concrete CMS to the latest release that removes the CSRF vulnerability in the package download endpoint.
  • Restrict the canInstallPackages permission to only the users who need it and ensure ordinary administrators do not have this capability.
  • Disable outbound connectivity to the Concrete marketplace if the site does not need to install marketplace packages.

Generated by OpenCVE AI on May 21, 2026 at 22:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/download/<remoteId>. The download() method in concrete/controllers/single_page/dashboard/extend/install.php checks only the canInstallPackages() permission before fetching a remote marketplace package and writing it to the server's DIR_PACKAGES directory. Because the endpoint is a state-changing GET route with no token enforcement, an attacker who can cause an authenticated administrator to visit a crafted page can force an arbitrary marketplace package to be downloaded. In order to be vulnerable, the victim must be passing canInstallPackages() and the site must be connected to the Concrete marketplace. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks  https://github.com/maru1009  for reporting.
Title Concrete CMS 9.5.0 and below is vulnerable to CSRF on download() in the package install controller
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-21T20:20:54.319Z

Reserved: 2026-05-07T18:17:00.416Z

Link: CVE-2026-8140

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T21:16:33.107

Modified: 2026-05-21T21:16:33.107

Link: CVE-2026-8140

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T22:45:21Z

Weaknesses