Concrete CMS, CSRF Token Validation Missing, CVE-2026-8428 (High)

Listen to this Post

How the CVE works:

In Concrete CMS versions 9.5.0 and below, the `local_available_update.php` view emits a CSRF token via `$token->output(‘do_update’)` for the core update form. This token is sent to the browser as part of a POST form. However, the corresponding `do_update()` method inside `concrete/controllers/single_page/dashboard/system/update/update.php` never calls `$this->token->validate(‘do_update’)` to verify the token upon submission. Because the controller discards the token without any validation, an attacker can craft a cross-site POST request that triggers a core CMS update. The attacker can specify an arbitrary version string, provided two conditions are met: the victim user must pass the `canUpgrade()` check (i.e., have administrative upgrade permissions), and a valid update package matching the attacker’s version string must exist under the `DIR_CORE_UPDATES` directory. Successful exploitation leads to an unauthorized upgrade, potentially to a malicious or vulnerable core version, compromising the integrity and availability of the CMS. The vulnerability has a CVSS v4.0 base score of 7.5 (High) with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, indicating low attack complexity but requiring user interaction and a passive network attacker.

DailyCVE Form:

Platform: Concrete CMS
Version: 9.5.0 and below
Vulnerability : CSRF validation missing
Severity: High (7.5)
date: 2026-05-21

Prediction: Patch expected 2026-06-15

What Undercode Say:

Check if vulnerable: grep -r "do_update" concrete/controllers/single_page/dashboard/system/update/update.php
Look for missing token validation
curl -X POST https://target.com/index.php/dashboard/system/update/update/do_update \
-d "update_version=9.5.1_malicious" \
--cookie "PHPSESSID=victim_session"
Monitor update directory: ls -la DIR_CORE_UPDATES/

Exploit:

Attacker hosts malicious HTML form auto-submitting POST to `/dashboard/system/update/update/do_update` with parameter update_version=attacker_controlled. Victim admin clicks link while logged in – forces CMS update to arbitrary version if update archive exists.

Protection from this CVE:

Upgrade to patched Concrete CMS version (9.5.1 or higher) once available. Apply `$this->token->validate(‘do_update’)` in `do_update()` method. Enable CSRF protections globally and restrict update directory access.

Impact:

Unauthorized core update to malicious or vulnerable version, leading to full site compromise, data loss, or denial of service. Administrative privileges required but bypass CSRF protection.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Previous

(AutoGPT), Log Size Unbounded, CVE-2025-32425 (Medium)

Scroll to Top