Description
Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion. Victim with edit_file_contents permission is CSRF'd into publishing an attacker-chosen previously-uploaded version (downgrade to an older version of a file, or activation of a co-editor's unpublished version). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.
Published: 2026-05-22
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a cross‑site request forgery in Concrete CMS that allows a user with edit_file_contents permission to be tricked into publishing a version of a file that they did not choose. This can result in a downgrade to an older file version or the activation of another editor's unpublished version, thus compromising content integrity. The flaw is a classic CSRF weakness identified as CWE‑352.

Affected Systems

Affected are installations of Concrete CMS version 9.5.0 and earlier, including the product name Concrete CMS from the vendor Concrete CMS. Users with the edit_file_contents permission are particularly at risk.

Risk and Exploitability

The CVSS score of 2.3 indicates low overall severity, yet the flaw can be exploited by coercing an authenticated user into submitting an unnoticed approveVersion request. Because the EPSS score is unknown and the vulnerability is not listed in CISA KEV, the likelihood of widespread exploitation is currently unclear. Nevertheless, the possibility of unauthorized file changes justifies proactive mitigation.

Generated by OpenCVE AI on May 22, 2026 at 15:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Concrete CMS to the newest version once a vendor patch for the CSRF vulnerability has been released.
  • Restrict the edit_file_contents permission to a minimal set of trusted users and revoke it from accounts that do not need to publish files.
  • Review and validate any file publication actions within your workflow to ensure that content changes are intentional and verified by a separate reviewer.

Generated by OpenCVE AI on May 22, 2026 at 15:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Fri, 22 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion. Victim with edit_file_contents permission is CSRF'd into publishing an attacker-chosen previously-uploaded version (downgrade to an older version of a file, or activation of a co-editor's unpublished version). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.
Title Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-22T17:26:12.832Z

Reserved: 2026-05-11T16:05:50.640Z

Link: CVE-2026-8340

cve-icon Vulnrichment

Updated: 2026-05-22T17:26:07.621Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T16:30:39Z

Weaknesses