CSRF Vulnerability in Concrete CMS Affects Version Management
CVE-2026-8340

2.3LOW

Key Information:

Vendor: Concrete Cms
Status: Concrete Cms
Vendor: CVE Published:; 22 May 2026

🔔 Create Concrete Cms Vulnerability Alert

What is CVE-2026-8340?

Concrete CMS versions 9.5.0 and earlier are susceptible to a Cross-Site Request Forgery (CSRF) vulnerability affecting the file version approval process. This vulnerability allows an attacker to trick a user, who possesses the 'edit_file_contents' permission, into publishing a file version of their choosing. The compromised user could inadvertently downgrade a document to an earlier version or activate an unpublished version from a co-editor, thereby potentially exposing sensitive content or causing unintended data loss. It is crucial for users to adopt security measures to mitigate this risk.

Affected Version(s)

Concrete CMS 5.0 <= 9.5.0

References

https://documentation.concretecms.org/9-x/developers/intr...

release-notes

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2026
Vulnerability Reserved
May 11, 2026

Credit

Winston Crooker

CVE-2026-8340 Data

JSON