Description
Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/do_update/<pkgHandle>. The do_update() method in concrete/controllers/single_page/dashboard/extend/update.php checks only canInstallPackages() before executing upgradeCoreData() and upgrade() on the named package's controller. Because the endpoint is a state-changing GET route with no token enforcement, an attacker can force an authenticated administrator to trigger a package upgrade via a single cross-site navigation.In order to be vulnerable, the victim must be passing canInstallPackages() and and a target package must already be already installed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks  https://github.com/maru1009  for reporting.
Published: 2026-05-21
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS versions 9.5.0 and earlier do not validate a CSRF token before processing requests to /dashboard/extend/update/do_update/<pkgHandle>. The do_update() method checks only that the caller can install packages and then executes upgradeCoreData() and upgrade() on the named package’s controller. Because the endpoint is a state‑changing GET route with no token enforcement, an attacker can force an authenticated administrator to trigger a package upgrade by visiting a crafted URL. This flaw allows the attacker to install or update a package that may contain malicious code in the CMS context, potentially compromising the system’s integrity and confidentiality.

Affected Systems

Concrete CMS releases up to and including 9.5.0 are affected. The vulnerable endpoint resides in concrete/controllers/single_page/dashboard/extend/update.php and requires the target package to be already installed and the requesting user to have permission to install packages, typically an administrator.

Risk and Exploitability

The CVSS v.4.0 score of 7.5 indicates high severity. The EPSS score is unavailable, so the likelihood of exploitation is currently unknown, but the lack of a CSRF token on a state‑changing GET route yields a clear attack vector. The vulnerability is not listed in the CISA KEV catalog. The attacker requires an authenticated admin session, which is a realistic prerequisite in many environments, making the risk tangible.

Generated by OpenCVE AI on May 21, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Concrete CMS update to a version newer than 9.5.0 so that CSRF validation is enforced on the package update route.
  • If an upgrade cannot be performed immediately, block or remove the "/dashboard/extend/update/do_update/*" endpoint or restrict it to authenticated requests that include a CSRF token.
  • Limit administrative access to trusted users and provide training on the dangers of clicking untrusted links that could trigger CSRF.

Generated by OpenCVE AI on May 21, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/do_update/<pkgHandle>. The do_update() method in concrete/controllers/single_page/dashboard/extend/update.php checks only canInstallPackages() before executing upgradeCoreData() and upgrade() on the named package's controller. Because the endpoint is a state-changing GET route with no token enforcement, an attacker can force an authenticated administrator to trigger a package upgrade via a single cross-site navigation.In order to be vulnerable, the victim must be passing canInstallPackages() and and a target package must already be already installed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks  https://github.com/maru1009  for reporting.
Title Concrete CMS 9.5.0 and below is vulnerable to CSRF in do_update() in the package update controller
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-21T20:19:42.643Z

Reserved: 2026-05-12T17:34:46.172Z

Link: CVE-2026-8417

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T21:16:33.980

Modified: 2026-05-21T21:16:33.980

Link: CVE-2026-8417

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T22:00:14Z

Weaknesses