CVE-2026-8416

Vulnerability

CVE-2026-8416 is a Cross-Site Request Forgery (CSRF) vulnerability in Concrete CMS versions 9 prior to 9.5.0. The flaw exists in the addFavoriteFolder action of the concrete/controllers/backend/file controller. The root cause is the lack of CSRF protection on this specific endpoint, enabling an attacker to forge requests that add a folder to the user's favorites without their consent [1].

Exploitation

To exploit this vulnerability, an attacker needs to trick an authenticated Concrete CMS user into visiting a malicious page or clicking a crafted link. The attacker does not require any special privileges on the target system; the victim must be logged in to the CMS for the CSRF request to succeed. The attack can be launched from any network location, as the request is sent to the legitimate server by the victim's browser. The CVSS v4.0 vector indicates low attack complexity and no required privileges, but a passive attacker profile (AT:P) suggests the attacker must rely on user interaction [1].

Impact

A successful CSRF attack could cause the targeted user's session to add a file folder to their favorites list. The impact is considered low, as the action only modifies the user's personal preferences (favorites) and does not affect other users or system configuration. The CVSS v4.0 confidentiality, integrity, and availability scores are all low or none, reflecting that this is a limited, non-escalating issue [1].

Mitigation

The vulnerability is fixed in Concrete CMS version 9.5.0, which was released alongside the 9.5.1 release notes. Users running Concrete CMS 9 should upgrade to version 9.5.0 or later to eliminate the CSRF risk. No workarounds are documented, but applying the update is straightforward via Composer or direct file replacement [1].