CVE-2026-8428

Root

Cause

The vulnerability lies in the update mechanism of Concrete CMS versions 9.5.0 and earlier. The view local_available_update.php emits a CSRF token via $token->output('do_update'), but the corresponding controller method do_update() in concrete/controllers/single_page/dashboard/system/update/update.php never calls $this->token->validate('do_update'). This means the token is rendered in the form but is not verified upon submission, leaving the action unprotected against cross-site request forgery.

Exploitation

Prerequisites

An attacker can craft a malicious POST request to the vulnerable endpoint. For the attack to succeed, the victim must have the canUpgrade() permission, and a valid update version must be present under DIR_CORE_UPDATES. The attacker must also trick an authenticated administrator into submitting the forged request (e.g., via a phishing link or embedded form). The CVSS vector (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) reflects the need for user interaction and some attack complexity.

Impact

Successful exploitation allows an attacker to trigger a core CMS update to an attacker-specified version string. This could lead to installation of a malicious or outdated version, potentially compromising the entire site's confidentiality, integrity, and availability. The impact is rated High with a CVSS score of 7.5.

Mitigation

The issue is fixed in Concrete CMS version 9.5.1, as documented in the release notes [1]. Users are strongly advised to upgrade to 9.5.1 or later. Additionally, sites installed via Composer are now disallowed from performing in-app updates, which mitigates the attack vector for those installations.