High severityNVD Advisory· Published May 21, 2026

CVE-2026-8417

Description

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/do_update/. The do_update() method in concrete/controllers/single_page/dashboard/extend/update.php checks only canInstallPackages() before executing upgradeCoreData() and upgrade() on the named package's controller. Because the endpoint is a state-changing GET route with no token enforcement, an attacker can force an authenticated administrator to trigger a package upgrade via a single cross-site navigation.In order to be vulnerable, the victim must be passing canInstallPackages() and and a target package must already be already installed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Concrete CMS ≤9.5.0 lacks CSRF protection on package upgrade endpoint, allowing admin to be tricked into upgrading packages.

Vulnerability

CVE-2026-8417 is a cross-site request forgery (CSRF) vulnerability in Concrete CMS versions 9.5.0 and below. The endpoint /dashboard/extend/update/do_update/ in concrete/controllers/single_page/dashboard/extend/update.php does not validate a CSRF token before processing requests. The do_update() method only checks canInstallPackages() and then executes upgradeCoreData() and upgrade() on the named package's controller.

Exploitation

Because the endpoint is a state-changing GET route with no CSRF token enforcement, an attacker can force an authenticated administrator to trigger a package upgrade via a single cross-site navigation. The victim must have the canInstallPackages() permission and the target package must already be installed.

Impact

An attacker can cause an unsolicited package upgrade, which could lead to changes in site behavior or data. The CVSS v4.0 score is 7.5 (High) with vector AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, indicating high impact on confidentiality, integrity, and availability.

Mitigation

Concrete CMS 9.5.1 includes behavioral improvements that detect whether the site or add-ons are installed via Composer and disallow direct in-app updates, mitigating this vector [1]. Users should upgrade to version 9.5.1 or later.

References

9.5.1 Release Notes

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Concrete5/Concretecmsinferred
Range: <=9.5.0
Concrete5/Concretellm-fuzzy
Range: <=9.5.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notesnvd

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000