PatchSiren cyber security CVE debrief
CVE-2026-7882 Concrete CMS CVE debrief
CVE-2026-7882 is a low-severity but real authorization-bypass issue in Concrete CMS file deletion handling. The vulnerable DeleteFile controller rejects valid CSRF tokens and continues when the token is missing or invalid, effectively disabling CSRF protection for that endpoint. That means an attacker can potentially induce file deletion through a cross-site request if the victim is an authenticated user with the needed conversation-message editing permissions.
- Vendor
- Concrete CMS
- Product
- Unknown
- CVSS
- LOW 2.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Administrators, site owners, and security teams running Concrete CMS 9.5.0 or below, especially installations that allow users to edit conversation messages or otherwise reach the DeleteFile workflow.
Technical summary
The issue is an inverted CSRF token check in Concrete CMS's DeleteFile controller. Instead of requiring a valid token before proceeding, the code throws an error when the token is valid and allows the file deletion action when the token is invalid or absent. NVD classifies the weakness as CWE-352 (Cross-Site Request Forgery). The practical impact is limited to unauthorized deletion, with the reported CVSS v4.0 vector reflecting network attackability, required user interaction, and low integrity impact.
Defensive priority
Low overall severity, but it should be patched promptly if your deployment exposes the affected deletion path to authenticated users. Prioritize faster if conversation/message editing is enabled for users and file deletion matters operationally.
Recommended defensive actions
- Confirm whether your Concrete CMS deployment is on version 9.5.0 or below.
- Review the Concrete CMS 9.5.1 release notes and vendor guidance referenced in the advisory materials.
- Apply the vendor-provided fix or upgrade path as soon as it is available for your environment.
- Restrict who can edit conversation messages and who can trigger file deletion workflows.
- Monitor for unexpected file deletions and review application logs for suspicious request patterns around the affected endpoint.
- If you cannot upgrade immediately, apply compensating controls such as limiting exposure of the affected functionality and tightening authenticated user permissions.
Evidence notes
The corpus describes CVE-2026-7882 as affecting Concrete CMS 9.5.0 and below due to an inverted CSRF token check in the DeleteFile controller. The NVD record lists CWE-352 and a CVSS v4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. The linked Concrete CMS release notes page is the only vendor reference supplied in the corpus. Vendor attribution in the source data is marked low confidence and needs review, so the product name should be treated as Concrete CMS based on the supplied evidence rather than broader assumptions.
Official resources
-
CVE-2026-7882 CVE record
CVE.org
-
CVE-2026-7882 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
ff5b8ace-8b95-4078-9743-eac1ca5451de
Published in the CVE/NVD record on 2026-05-21T22:16:49.020Z. The advisory credits Tristan Mandani for reporting the issue.