CVE-2026-8414

Vulnerability

Overview

CVE-2026-8414 is a Cross-Site Request Forgery (CSRF) vulnerability in Concrete CMS versions 9 prior to 9.5.0. The flaw exists in the concrete/controllers/dialog/event/duplicate endpoint, where the application fails to validate the origin of requests. This allows an attacker to trick an authenticated administrator into performing unintended actions, such as duplicating calendar events, without their consent.

Exploitation and

Attack Surface

Exploitation requires the attacker to craft a malicious link or page that, when visited by an authenticated Concrete CMS administrator, triggers a forged request to the vulnerable endpoint. The attack is network-based (AV:N) with low attack complexity (AC:L) but requires user interaction (UI:P) and some attack prerequisites (AT:P). No authentication is needed for the attacker, but the victim must have valid admin privileges. The CSRF token validation is missing or insufficient, enabling the unauthorized action.

Impact and

Mitigation

The impact is limited to low integrity violation (VI:L) as the attacker can only duplicate events, not modify or delete them. No confidentiality or availability impact is expected. The Concrete CMS security team assigned a CVSS v4.0 score of 2.3, reflecting the minimal risk. The vulnerability is fixed in Concrete CMS version 9.5.0, which was released prior to the 9.5.1 update documented in the release notes [1]. Users are advised to upgrade to at least 9.5.0 to mitigate this issue.