CVE-2026-8415

Vulnerability

Overview

CVE-2026-8415 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Concrete CMS versions 9 prior to 9.5.0. The flaw exists in the concrete/controllers/dialog/express/association/reorder endpoint, which does not properly validate or require a unique token for state-changing requests. This allows an attacker to trick an authenticated administrator into performing unintended actions, such as reordering Express associations, without their consent [1].

Exploitation

Conditions

Exploitation requires the attacker to craft a malicious link or form and convince a logged-in Concrete CMS administrator to interact with it. No special network position is needed beyond standard web access, and the attack does not require authentication on the attacker's part. The CVSS v4.0 score of 2.3 (Low) reflects the low impact and the need for user interaction [1].

Impact

If successfully exploited, an attacker can cause the victim's browser to send a forged request to reorder Express associations. The impact is limited to low-integrity changes; no confidentiality breach or availability impact is noted. The Concrete CMS security team assessed the vector as AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N, indicating no direct data exposure or system compromise [1].

Mitigation

The vulnerability is fixed in Concrete CMS version 9.5.0 and later. Users running versions before 9.5.0 should upgrade to the latest release. The 9.5.1 release notes also include related security improvements, such as using public identifiers instead of sequential IDs for Express entries, which may reduce the attack surface [1].