Low severityNVD Advisory· Published May 21, 2026

CVE-2026-8409

Description

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/delete. The The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Concrete CMS 9 before 9.5.0 has a CSRF vulnerability in the delete log dialog controller, allowing attackers to trigger log deletion without proper authorization.

Vulnerability

Overview

Concrete CMS versions 9 prior to 9.5.0 contain a Cross-Site Request Forgery (CSRF) vulnerability located in the concrete/controllers/dialog/logs/delete controller [1]. This flaw stems from insufficient validation of the origin of requests, allowing an attacker to craft a malicious link or page that, when visited by an authenticated administrator, triggers the deletion of system logs without the admin's consent. The Concrete CMS security team assigned a CVSS v4.0 score of 2.3 (Low), with the vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N, indicating low impact on integrity but requiring user interaction and some attacker access to the network [1].

Exploitation

To exploit this vulnerability, an attacker must trick an authenticated Concrete CMS administrator into clicking a crafted link or visiting a malicious page while logged into the CMS. The attack requires no prior authentication for the attacker themselves (PR:N), but the victim must have administrative privileges to access the dialog controller. The complexity of the attack is low (AC:L), and the attacker must have some human interaction (UI:P) to deceive the user. The attack vector is network-based (AV:N), but some protections like the 5.1.2 release and proper CSRF tokens may be bypassed due to the missing check in this specific endpoint [1].

Impact

Successful exploitation allows the attacker to trigger deletion of system logs from the Concrete CMS interface. This could hinder forensic analysis, hide the attacker's other malicious activities, or disrupt normal operations. However, the vulnerability does not allow modification of user data or privilege escalation, and its integrity impact is categorized as low (VI:L). The attack does not affect other systems or data on the same network (SC:N, SI:N, SA:N) [1].

Mitigation

The vulnerability is fixed in Concrete CMS version 9.5.0 and later. The release notes for version 9.5.1 confirm the fix was included in that update [1]. Users running Concrete CMS 9 versions below 9.5.0 should upgrade to at least 9.5.0 or the latest 9.5.x release to remediate the issue. No workaround was provided for unpatched versions [1].

References

9.5.1 Release Notes

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Concrete5/Concretecmsinferred
Range: <9.5.0
Concrete5/Concretellm-fuzzy
Range: <9.5.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notesnvd

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000