CVE-2026-8412 Concrete CMS CVE debrief

Who should care

Concrete CMS 9 site owners, administrators, and maintainers running versions before 9.5.0, especially teams that use or expose bulk cache management workflows to authenticated users.

Technical summary

NVD describes CVE-2026-8412 as a CSRF weakness at concrete/controllers/dialog/page/bulk/cache in Concrete CMS 9 before 9.5.0. A victim with an active authenticated session could be induced to send a forged request that triggers an unintended cache-related state change. The NVD metadata lists CWE-352 and CWE-1275, and the published CVSS v4.0 vector reflects required user interaction with limited integrity impact.

Defensive priority

Low to moderate. This is not an emergency based on the published CVSS 2.3 score, but it should be corrected on a normal maintenance timeline because CSRF in an admin workflow can still change state without user intent.

Recommended defensive actions

• Upgrade Concrete CMS 9.x to 9.5.0 or later.
• Confirm the affected bulk cache controller path now requires and validates anti-CSRF protections.
• Verify administrative workflows are restricted to trusted users and that sessions are protected by standard hardening controls.
• Use the Concrete CMS release notes referenced by NVD to confirm the fixed version and any follow-up guidance.

Evidence notes

The CVE record and NVD metadata published on 2026-05-21 identify a CSRF issue in Concrete CMS 9 before 9.5.0, with CVSS v4.0 2.3 and the vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. The NVD reference list links to Concrete CMS version-history release notes as the vendor-side source.

Official resources