CVE-2026-8428
CSRF token is not validated in the core CMS update controller for Concrete CMS 9.5.0 and below
Concrete CMS 9.5.0 and below emits a CSRF token in the local_available_update.php view ($token->output('do_update')) but the corresponding do_update() method in concrete/controllers/single_page/dashboard/system/update/update.php never calls $this->token->validate('do_update'). The form is rendered as a POST form, meaning the token reaches the browser, but because the controller discards it without verification, an attacker can craft a cross-site POST that triggers a core CMS update to an attacker-specified version string. In order to be vulnerable, theictim must be passing canUpgrade()anda valid update version must be present under DIR_CORE_UPDATES. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting.
| CWE | CWE-352 CWE-829 |
| Vendor | concrete cms |
| Product | concrete cms |
| Published | May 21, 2026 |
| Last Updated | May 22, 2026 |
Get instant alerts for concrete cms concrete cms
Be the first to know when new unknown vulnerabilities affecting concrete cms concrete cms are published — delivered to Slack, Telegram or Discord.