PatchSiren cyber security CVE debrief
CVE-2026-8427 Concrete CMS CVE debrief
CVE-2026-8427 is a low-severity Cross-Site Request Forgery issue in Concrete CMS 9 before 9.5.0. The vulnerable path is concrete/controllers/backend/file removeFavoriteFolder($id), and the Concrete CMS security team assigned CVSS v4.0 2.3 (AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N). The issue was publicly recorded on 2026-05-21 and reported by Yonatan Drori (Tenzai).
- Vendor
- Concrete CMS
- Product
- Unknown
- CVSS
- LOW 2.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Administrators and developers running Concrete CMS 9 versions earlier than 9.5.0 should care, especially anyone exposing authenticated admin or backend actions that rely on browser-driven requests. Security teams should verify whether user sessions can trigger state-changing backend actions without CSRF protection.
Technical summary
The flaw is a CSRF weakness in a backend file controller action, removeFavoriteFolder($id). In practical terms, an authenticated user could be induced to submit an unintended request if the application does not sufficiently bind the action to an anti-CSRF control. NVD metadata also maps the issue to CWE-352 and CWE-1275. The available source material indicates the affected line is addressed in Concrete CMS 9.5.0 release material, but no exploit details are provided here.
Defensive priority
Low. The score and vector indicate limited impact, with no confidentiality or availability impact and only low integrity impact. Still, CSRF issues can matter in admin workflows, so remediation should be scheduled rather than ignored.
Recommended defensive actions
- Upgrade Concrete CMS 9 instances to 9.5.0 or later.
- Review backend actions that change state to ensure CSRF protections are present and enforced.
- Verify that authenticated admin endpoints require request validation beyond cookie-based session authentication.
- Check whether similar controller actions share the same request-handling pattern and should be audited together.
- Monitor access logs for suspicious browser-originated requests to backend file controller endpoints.
Evidence notes
Source evidence is limited to the CVE record and the linked Concrete CMS 9.5.0 release notes reference. The CVE description states the issue affects Concrete CMS 9 before 9.5.0 and identifies the vulnerable controller action. NVD metadata provides the CVSS v4.0 vector, the low severity score, and weakness mappings to CWE-352 and CWE-1275. No exploit technique or additional impacted products were supplied in the source corpus.
Official resources
-
CVE-2026-8427 CVE record
CVE.org
-
CVE-2026-8427 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
ff5b8ace-8b95-4078-9743-eac1ca5451de
First recorded in the supplied sources on 2026-05-21. The CVE description credits Yonatan Drori (Tenzai) with reporting the issue.