PatchSiren cyber security CVE debrief
CVE-2026-8340 Concrete CMS CVE debrief
Concrete CMS versions 9.5.0 and below contain a Cross-Site Request Forgery (CSRF) vulnerability in the file approval workflow. An attacker can craft a malicious request that, when triggered by an authenticated user with edit_file_contents permission, causes the victim to unknowingly publish a previously-uploaded file version. This enables two attack scenarios: downgrading a file to an older version (potentially restoring malicious content), or activating an unpublished version uploaded by a co-editor. The vulnerability exists because the Backend::File::approveVersion endpoint does not implement sufficient CSRF protection. The Concrete CMS security team assessed this as LOW severity (CVSS 4.0: 2.3), reflecting the need for user interaction and the limited integrity impact. The issue was resolved in version 9.5.1.
- Vendor
- Concrete CMS
- Product
- Unknown
- CVSS
- LOW 2.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-22
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-22
- Advisory updated
- 2026-05-26
Who should care
Concrete CMS administrators and developers managing multi-user content environments where file version control integrity is critical. Organizations with collaborative editing workflows where multiple users upload and manage file versions.
Technical summary
The vulnerability resides in Backend::File::approveVersion where insufficient CSRF protection allows attackers to forge requests that publish attacker-selected file versions. Requires victim with edit_file_contents permission and user interaction. Attack vectors include version downgrade attacks and unauthorized activation of pending file versions. Fixed in 9.5.1.
Defensive priority
low
Recommended defensive actions
- Upgrade Concrete CMS to version 9.5.1 or later to remediate this vulnerability.
- Review file version history for unauthorized changes if running affected versions, particularly checking for unexpected version activations or downgrades.
- Implement additional access controls and monitoring for users with edit_file_contents permission.
- Consider implementing Content Security Policy (CSP) and SameSite cookie attributes as defense-in-depth measures against CSRF attacks.
- Verify that custom themes or plugins do not introduce similar CSRF vulnerabilities in file management workflows.
Evidence notes
CVE published 2026-05-22; modified 2026-05-26. Vendor release notes confirm fix in 9.5.1. CVSS 4.0 vector provided by Concrete CMS security team. CWE-352 (CSRF) identified.
Official resources
-
CVE-2026-8340 CVE record
CVE.org
-
CVE-2026-8340 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
ff5b8ace-8b95-4078-9743-eac1ca5451de - Release Notes
2026-05-22