Concrete CMS Critical RCE CSRF Vulnerabilities Patched

Two highly critical Remote Code Execution (RCE) flaws, widespread Cross-Site Request Forgery (CSRF) vulnerabilities, and dangerous Insecure Direct Object Reference (IDOR) bugs.

For system administrators, web developers, and security engineers managing Concrete CMS environments, applying these patches is not a recommendation it is an absolute necessity to prevent complete server takeovers and unauthorized data disclosures.

The most alarming revelations in this release center around two vulnerabilities that allow attackers to execute arbitrary code on the underlying web servers. These flaws carry near-maximum severity scores due to their potential for total system compromise.

Concrete CMS Security Update

CVE-2026-8134 (CVSS 9.4) – Path Traversal to RCE: Prior to this update, Concrete CMS failed to sanitize path traversal sequences within the ptComposerFormLayoutSetControlCustomTemplate field. This specific field handles the saving of page type composer form layouts.

An authenticated rogue administrator equipped with composer form editing rights could exploit this oversight to include arbitrary, readable files directly on the server. The severity of this flaw multiplies when combined with the file uploader’s extension-only validation protocol.

Because the system permitted PHP code hidden inside files saved with benign extensions such as .png or .jpg an attacker could upload a malicious payload and trigger it via the path traversal flaw, resulting in immediate authenticated remote code execution.

CVE-2026-8135 (CVSS 8.9) – Insecure Deserialization: Another critical path to server takeover was discovered in the ExpressEntryList block controller. The core issue stemmed from insecure deserialization. A rogue administrator with privileges to add blocks could bypass the intended _fromCIF === true protection mechanism.

By leveraging the REST API functionality, which processes requests using json_decode(), an attacker could force the system to evaluate the string “true” as a strict PHP Boolean true. This bypass allowed the injection of a highly malicious serialized payload into the block’s filterFields database column.

The moment any administrator viewed or edited the block’s data, the payload would execute, granting the attacker complete control over the application environment.

A significant portion of the security update focuses on patching numerous CSRF vulnerabilities. These flaws allowed attackers to silently hijack the sessions of authenticated administrators to perform state-changing actions.

Marketplace and Package Exploits: Multiple CVEs (CVE-2026-8140, CVE-2026-8417, CVE-2026-8421, and CVE-2026-8426 all rated CVSS 7.5) exposed critical endpoints to CSRF attacks. Previously, Concrete CMS did not validate CSRF tokens before processing requests to package download, installation, and upgrade endpoints.

For instance, the download() method only verified the canInstallPackages() permission before fetching a remote marketplace package and writing it to the server’s DIR_PACKAGES directory.

Because these endpoints functioned as state-changing GET routes without token enforcement, an external attacker could trick an authenticated administrator into visiting a crafted malicious page.

This single action could force the arbitrary download, installation, or upgrade of compromised marketplace packages, ultimately leading to remote code execution as the web server user.

System Update Hijacking: In a similar vein, CVE-2026-8428 (CVSS 7.5) revealed a flaw where the system emitted a CSRF token in the update view but completely failed to validate it in the backend controller.

An attacker could craft a cross-site POST request that forced a core CMS update to an attacker-specified version string, completely compromising the core framework of the site.

Beyond code execution and forged requests, the release mitigates severe logic flaws that allowed unauthorized data access and account manipulation.

CVE-2026-8350 (CVSS 7.5) – Bulk User Assignment Bypass: Concrete CMS suffered from missing authorization checks within bulk_user_assignment.php. This vulnerability opened the door for devastating privilege escalation.

Any authenticated user who had access to the bulk user assignment dashboard page could arbitrarily add their own (or any other) email to the Administrative Group while simultaneously stripping legitimate administrators of their privileges.

Widespread IDOR Vulnerabilities: Insecure Direct Object References plagued several frontend endpoints, allowing unauthenticated attackers to harvest sensitive data. CVE-2026-6826 and CVE-2026-8236 allowed unauthenticated visitors to query the /ccm/system/dialogs/file/usage/{fID} endpoint.

By simply inputting an integer file ID, attackers received a comprehensive list of every page referencing that file including page IDs, versions, and full URLs of restricted or hidden pages.

Furthermore, conversation and messaging endpoints (CVE-2026-8237, CVE-2026-8238) leaked the full content of conversation messages, including file attachments and download URLs from restricted member-only areas and moderation queues.

The system also exposed page metadata (CVE-2026-8240), revealing the titles, paths, and descriptions of private and draft pages simply through summary templates.

The development team also addressed multiple Stored and Reflected XSS vulnerabilities that threatened session integrity. CVE-2026-8197 and CVE-2026-8203 (CVSS 7.3) involved Stored XSS via OAuth integration names and block height parameters.

The OAuth template rendered integration names through a translation helper without escaping the output, dropping raw HTML into the DOM.

Similarly, unvalidated height parameters allowed users with editor privileges to inject malicious JavaScript. These scripts would execute in the context of any visitor’s browser, enabling session hijacking and credential theft.

Additionally, CVE-2026-8327 (CVSS 5.3) highlighted a critical session-hardening bypass. The user-profile edit controller passed raw POST arrays directly to the update function without field whitelisting.

This oversight allowed attackers to change passwords without providing the current password and enabled registered users to disable the per-user IP-pinning feature, which is specifically designed to detect and prevent session hijacking.

Mitigation

While security took center stage, the 9.5.X update also introduces vital behavioral improvements. Concrete CMS now actively detects if the site or its add-ons are installed via Composer.

If true, the system intelligently disables direct in-app updates to prevent environment corruption, providing administrators with a helpful explanation instead.

Performance optimizations have been applied to the Document Library block, drastically improving load times for sites managing extensive file folder hierarchies.

To enhance administrative safety, the system no longer permits users to move or copy system pages, such as Dashboard pages, preventing accidental architectural breakage.

Developers must note a critical backward compatibility change: Concrete CMS 9.5.0’s migration to Symfony Mailer relies on proc_open to send mail via the local sendmail binary.

Systems with proc_open disabled at the PHP level will experience mail failures, and administrators are advised to configure external SMTP servers to ensure uninterrupted functionality.