CVE-2026-8412

Vulnerability

Overview

CVE-2026-8412 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Concrete CMS versions 9 prior to 9.5.0. The flaw exists in the concrete/controllers/dialog/page/bulk/cache endpoint, where insufficient validation of request origin allows an attacker to trick an authenticated administrator into performing unintended actions. The Concrete CMS security team assigned a CVSS v4.0 score of 2.3 (Low), reflecting the limited impact and required user interaction [1].

Exploitation and

Attack Surface

To exploit this vulnerability, an attacker must craft a malicious web page or link that triggers a forged request to the vulnerable endpoint. The attack requires the victim to be logged into Concrete CMS and to interact with the attacker-controlled content (e.g., clicking a link or visiting a page). No authentication is needed on the attacker's part, but the victim must have administrative privileges to perform the cache-related action. The attack complexity is low, but the attacker must have network access and the target must be reachable [1].

Impact

Successful exploitation allows an attacker to perform cache operations (such as clearing or modifying the page cache) on behalf of the victim administrator. The impact is limited to integrity loss (low) with no confidentiality or availability impact. The CVSS vector indicates no privilege escalation or lateral movement, and the attack does not affect subsequent systems [1].

Mitigation

The vulnerability is fixed in Concrete CMS version 9.5.0 and later. Users running versions before 9.5.0 should upgrade to the latest release (9.5.1 or higher) to remediate the issue. The 9.5.1 release notes confirm the inclusion of security fixes and behavioral improvements [1]. No workarounds are documented; upgrading is the recommended action.