Low severityNVD Advisory· Published Mar 4, 2026· Updated Mar 4, 2026

Concrete CMS below 9.4.8 is vulnerable to CSRF by a Rogue Admin using the Anti-Spam Allowlist Group

CVE-2026-2994

Description

Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks z3rco for reporting

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Concrete CMS below 9.4.8 is vulnerable to CSRF in the Anti-Spam Allowlist Group Configuration, allowing a rogue administrator to bypass CSRF protection.

Vulnerability

Overview

Concrete CMS versions prior to 9.4.8 are affected by a cross-site request forgery (CSRF) vulnerability in the Anti-Spam Allowlist Group Configuration. The flaw exists because the application saves changes to the group_id parameter before validating the CSRF token, allowing a rogue administrator to bypass the token check [1].

Attack

Vector

An attacker who is already an authenticated administrator can craft a malicious request that, when executed by another administrator (e.g., via social engineering), modifies the Anti-Spam Allowlist Group Configuration without a valid CSRF token. The attack requires low privileges (PR:L) and user interaction (UI:P), and can be performed over the network with low complexity [1].

Impact

Successful exploitation results in a security bypass with low integrity impact (VI:L). The attacker can alter the allowlist group settings, potentially weakening spam protections. There is no impact on confidentiality or availability [1].

Mitigation

The vulnerability is fixed in Concrete CMS version 9.4.8 [2]. Users are advised to upgrade to this version or later. No workarounds have been published.

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
concrete5/concrete5Packagist	< 9.4.8	9.4.8

Affected products

Concrete5/Concretellm-fuzzy
Range: <9.3.1
Concrete CMS/Concrete CMSv5
Range: 5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-6mxw-2vhf-42g5ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-2994ghsaADVISORY
documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notesghsaWEB
github.com/concretecms/concretecms/pull/12826ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000