CVE-2026-8416 Concrete CMS CVE debrief

Who should care

Administrators and security teams running Concrete CMS 9 instances prior to 9.5.0, especially environments where authenticated users can access backend file management features.

Technical summary

The vulnerability is a Cross-Site Request Forgery issue in concrete/controllers/backend/file addFavoriteFolder($id). Because the action is state-changing and the CVSS vector includes UI:P, an attacker may be able to induce a victim to submit the request while they are authenticated. NVD lists the weakness mappings as CWE-352 and CWE-1275, and the reported impact is limited to low integrity impact with no documented confidentiality or availability impact in the supplied record.

Defensive priority

Low. The score is 2.3 and the published vector indicates no confidentiality or availability impact, but the issue should still be fixed because CSRF can let attackers make unauthorized changes through a logged-in user’s session.

Recommended defensive actions

• Upgrade Concrete CMS to version 9.5.0 or later.
• Review backend controllers and forms for CSRF protections on state-changing actions.
• Confirm that session-bound anti-CSRF mechanisms are enabled and validated for authenticated requests.
• Check whether any automated workflows or customizations call the affected addFavoriteFolder action and validate their request handling.
• Monitor administrative activity around file favorite-folder changes until patched.

Evidence notes

All claims here are limited to the supplied NVD record and the referenced Concrete CMS release-notes URL. The record states Concrete CMS 9 before 9.5.0 is vulnerable to CSRF in concrete/controllers/backend/file addFavoriteFolder($id), with CVSS v4.0 2.3 and reporter credit to Yonatan Drori (Tenzai). The supplied corpus does not provide exploit details, attack preconditions beyond UI:P, or broader campaign context.

Official resources