Description
Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/prepare_remote_upgrade/<remoteMPID>. An attacker who controls the remote package returned for a known marketplace item ID can overwrite the package PHP on disk and force its upgrade() method to execute in a single browser navigation. This results in remote code execution as the web server user.   In order to be vulnerable, the victim must be passing canInstallPackages, victim site must be connected to the Concrete marketplace; and the attacker controls the package returned for a marketplace item ID already installed on the victim site. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting.
Published: 2026-05-21
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS versions 9.5.0 and earlier do not validate a CSRF token before processing requests to the prepare_remote_upgrade endpoint. An attacker who can supply a malicious package for a marketplace item ID already installed on a victim site can overwrite that package’s PHP file on disk. The subsequent upgrade() method is executed during a single browser navigation, resulting in remote code execution as the web server user. The flaw combines CWE‑352 Cross‑Site Request Forgery and CWE‑829 Broken Access Control, and it allows an attacker to compromise both confidentiality and integrity of the affected application.

Affected Systems

The vulnerability affects Concrete CMS 9.5.0 and all earlier 9.x releases. Anyone running those versions with the canInstallPackages feature enabled and a site connected to the Concrete marketplace is potentially vulnerable. Versions newer than 9.5.0 are not impacted by this flaw.

Risk and Exploitability

The CVSS base score of 7.5 reflects high severity; the exploit requires the victim to have an active administrative session and the site to be configured to accept remote marketplace packages, conditions that are common on many installations. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog. Because the vulnerability can be exercised in a single request, an attacker who can direct a user to a crafted URL may trigger RCE without further interaction. The lack of CSRF protection means the attack can be performed by simply loading a malicious link in the victim’s browser.

Generated by OpenCVE AI on May 21, 2026 at 22:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch or upgrade Concrete CMS to a release that adds CSRF validation for the prepare_remote_upgrade endpoint.
  • If upgrading immediately is not possible, disable the canInstallPackages option and disconnect the site from the Concrete marketplace to eliminate the ability to fetch remote packages.
  • Restrict package installation privileges to trusted administrators and verify that only trusted package sources are used when installing or updating extensions.

Generated by OpenCVE AI on May 21, 2026 at 22:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/prepare_remote_upgrade/<remoteMPID>. An attacker who controls the remote package returned for a known marketplace item ID can overwrite the package PHP on disk and force its upgrade() method to execute in a single browser navigation. This results in remote code execution as the web server user.   In order to be vulnerable, the victim must be passing canInstallPackages, victim site must be connected to the Concrete marketplace; and the attacker controls the package returned for a marketplace item ID already installed on the victim site. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting.
Title Concrete CMS 9.5.0 and below is vulnerable to CSRF on prepare_remote_upgrade() leading to one-request RCE via package overwrite
Weaknesses CWE-352
CWE-829
References
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-21T20:22:09.950Z

Reserved: 2026-05-12T17:59:05.154Z

Link: CVE-2026-8426

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T21:16:34.243

Modified: 2026-05-21T21:16:34.243

Link: CVE-2026-8426

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T22:45:21Z

Weaknesses