Description
Concrete CMS 9.5.0 and below emits a CSRF token in the local_available_update.php view ($token->output('do_update')) but the corresponding do_update() method in concrete/controllers/single_page/dashboard/system/update/update.php never calls $this->token->validate('do_update'). The form is rendered as a POST form, meaning the token reaches the browser, but because the controller discards it without verification, an attacker can craft a cross-site POST that triggers a core CMS update to an attacker-specified version string.  In order to be vulnerable, theictim must be passing canUpgrade()anda valid update version must be present under DIR_CORE_UPDATES. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting.
Published: 2026-05-21
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because the core CMS update controller in Concrete CMS 9.5.0 and earlier does not validate the CSRF token that is emitted for the update form. When a user with upgrade privileges submits the form, the POST request includes a token that the controller ignores, allowing an attacker to forge a request from the victim’s browser. The forged request can instruct the CMS to perform an update to an attacker-selected version string.

Affected Systems

Concrete CMS versions 9.5.0 through the most recent release prior to the fix are affected. Any installation running those versions that has a valid update package available under DIR_CORE_UPDATES is vulnerable. The issue applies only to sites that expose the dashboard update page and allow the canUpgrade() check to pass.

Risk and Exploitability

This flaw is rated CVSS 7.5 (High), giving an attacker the ability to acquire code execution on the host with no credentials, provided they can trick a user into visiting a malicious site to trigger the CSRF. The EPSS score is not published, and the vulnerability is not listed in the CISA KEV. The attack vector is remote via the public web interface, and the exploitation requires only that the victim’s browser be able to submit the upgrade form.

Generated by OpenCVE AI on May 21, 2026 at 22:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Concrete CMS to version 9.6.0 or later, where the CSRF token validator has been added to the update controller.
  • If an upgrade cannot be performed immediately, restrict access to the core update dashboard by disabling or restricting the route to only trusted administrators.
  • Verify that the DIR_CORE_UPDATES folder does not contain arbitrary or unverified update packages and that only authorized update files are present, limiting the impact if a CSRF request is still made.

Generated by OpenCVE AI on May 21, 2026 at 22:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9.5.0 and below emits a CSRF token in the local_available_update.php view ($token->output('do_update')) but the corresponding do_update() method in concrete/controllers/single_page/dashboard/system/update/update.php never calls $this->token->validate('do_update'). The form is rendered as a POST form, meaning the token reaches the browser, but because the controller discards it without verification, an attacker can craft a cross-site POST that triggers a core CMS update to an attacker-specified version string.  In order to be vulnerable, theictim must be passing canUpgrade()anda valid update version must be present under DIR_CORE_UPDATES. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting.
Title CSRF token is not validated in the core CMS update controller for Concrete CMS 9.5.0 and below
Weaknesses CWE-352
CWE-829
References
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-21T20:24:11.572Z

Reserved: 2026-05-12T18:07:11.189Z

Link: CVE-2026-8428

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T21:16:34.387

Modified: 2026-05-21T21:16:34.387

Link: CVE-2026-8428

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T22:45:21Z

Weaknesses