CVE-2026-8409 Concrete CMS CVE debrief

Who should care

Administrators and security teams running Concrete CMS 9 versions before 9.5.0, especially where log retention, auditability, or incident response depends on preserving application logs.

Technical summary

NVD classifies this as a CSRF issue with CVSS v4.0 vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. The issue affects the log deletion controller path concrete/controllers/dialog/logs/delete and is associated with CWE-352 and CWE-1275. The supplied vendor reference points to the Concrete CMS 9.5.0 release notes, indicating the issue is addressed in that release.

Defensive priority

Low severity, but worth prioritizing for any environment that relies on accurate logs or uses exposed administrative sessions.

Recommended defensive actions

• Upgrade Concrete CMS 9 to version 9.5.0 or later.
• Review administrative workflows that can delete logs and limit access to only necessary operators.
• Monitor for unexpected log deletion activity around the CVE publication date and after deployment windows.
• Confirm that browser-session protections and general anti-CSRF controls are enabled in your deployment baseline.
• Preserve out-of-band backups or centralized log copies so a forged deletion request cannot erase all evidence.

Evidence notes

The CVE description states that Concrete CMS 9 before 9.5.0 is vulnerable to CSRF at concrete/controllers/dialog/logs/delete and credits Yonatan Drori (Tenzai) for reporting. NVD provides the CVSS v4.0 vector and lists CWE-352/CWE-1275. The only vendor reference supplied is the Concrete CMS 9.5.0 release notes, which supports the remediation version.

Official resources