CVE-2026-8414 Concrete CMS CVE debrief

Who should care

Concrete CMS administrators, site owners, and anyone maintaining Concrete CMS 9 installations before 9.5.0, especially environments where authenticated users can reach the affected dialog controller.

Technical summary

The issue is classified as CSRF (CWE-352) with an additional CWE-1275 mapping in the supplied metadata. The NVD record gives CVSS v4.0 2.3 (AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N), indicating network-reachable impact that requires user interaction and is limited in integrity effect. The affected area is concrete/controllers/dialog/event/duplicate in Concrete CMS 9 before 9.5.0.

Defensive priority

Routine patching, but prioritize updating affected Concrete CMS 9 systems promptly because the flaw can let a victim browser perform unintended authenticated actions.

Recommended defensive actions

• Confirm whether any Concrete CMS 9 instances are running versions earlier than 9.5.0.
• Upgrade affected installations to a version that includes the fix referenced by the Concrete CMS security update.
• Review administrative and authenticated workflows that reach concrete/controllers/dialog/event/duplicate for CSRF protections and token validation.
• Check for suspicious state-changing requests involving authenticated users around the affected area.
• If immediate upgrading is not possible, limit access to administrative interfaces and reduce exposure of sensitive authenticated actions.

Evidence notes

The CVE description supplied with the record states that Concrete CMS 9 before 9.5.0 is vulnerable to CSRF at concrete/controllers/dialog/event/duplicate and assigns CVSS v4.0 2.3. The NVD metadata lists the same CVE on 2026-05-21 and includes a Concrete CMS documentation release-notes reference. The vendor field in the supplied corpus is low-confidence/needs-review, so the product attribution is based on the CVE description and NVD reference rather than the vendor field.

Official resources