Description
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file approveVersion(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Published: 2026-05-21
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS in version 9 prior to 9.5.0 has an unprotected CSRF vulnerability in the file approval endpoint. An attacker who can trick an authenticated user into visiting a crafted URL can trigger the approveVersion() action without the user’s knowledge. The impact is limited to actions that the authenticated user is authorized to perform, such as approving a file version, which may lead to unauthorized content changes.

Affected Systems

The vulnerability affects Concrete CMS version 9, any installation running a release older than 9.5.0. Administrators should verify the instance’s version and ensure that the system is running 9.5.0 or later.

Risk and Exploitability

The CVSS score of 2.3 indicates low overall severity, with no available EPSS score and the issue not listed in CISA KEV. Based on the description, the likely attack vector is a web request directed at an authenticated session; the attack requires a user who has file approval privileges to be tricked into visiting a malicious link. Although the risk is low, the vulnerability can be exploited in environments where the approval feature is used widely or where an attacker can target privileged users.

Generated by OpenCVE AI on May 21, 2026 at 22:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Concrete CMS to version 9.5.0 or later to remove the CSRF vulnerability.
  • If upgrading immediately is not possible, disable the file approval feature for non‑privileged users or restrict it to administrators only.
  • Deploy a web application firewall or enable custom CSRF token validation to block unauthorized approval requests.

Generated by OpenCVE AI on May 21, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file approveVersion(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Title Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file approveVersion()
Weaknesses CWE-1275
CWE-352
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-21T21:22:30.726Z

Reserved: 2026-05-12T18:21:37.718Z

Link: CVE-2026-8435

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T22:16:52.053

Modified: 2026-05-21T22:16:52.053

Link: CVE-2026-8435

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T22:45:20Z

Weaknesses