CVE-2026-8435 Concrete CMS CVE debrief

Who should care

Administrators and developers running Concrete CMS 9 versions older than 9.5.0, especially environments that use backend file version approval workflows.

Technical summary

The vulnerability is a CSRF flaw in the backend file approval path. NVD classifies it with CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N, indicating network reachability, required user interaction, no privileges, and limited integrity impact. The supplied weakness data maps to CWE-352 and CWE-1275.

Defensive priority

Low

Recommended defensive actions

• Upgrade Concrete CMS 9 to 9.5.0 or later.
• Review the backend file approval workflow for CSRF protections and confirm state-changing requests require valid anti-CSRF tokens.
• Verify that approval actions are only reachable through intended authenticated interfaces and are not exposed through unsafe request handling.
• Check logs and audit records for unexpected file version approval events around the affected endpoint.
• If immediate upgrading is not possible, restrict access to backend administration paths until remediation is complete.

Evidence notes

Supplied CVE data states: Concrete CMS 9 before 9.5.0 is vulnerable to CSRF in concrete/controllers/backend/file approveVersion(). The CVSS v4.0 vector is CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N with score 2.3 and severity LOW. Timeline fields show the CVE was published and modified on 2026-05-21T22:16:52.053Z. The NVD source metadata marks the record as Received and includes the Concrete CMS 9.5.0 release notes as a reference.

Official resources