CVE-2026-8340 Overview
CVE-2026-8340 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Concrete CMS versions 9.5.0 and below. The flaw resides in the Backend\File::approveVersion endpoint, which lacks adequate anti-CSRF token validation. An attacker can trick an authenticated user holding the edit_file_contents permission into publishing an attacker-chosen, previously-uploaded file version. This enables downgrade to an older file version or activation of a co-editor's unpublished version. The vulnerability is tracked under CWE-352 and was reported by Winston Crooker through the Concrete CMS security team.
Critical Impact
Authenticated users can be coerced via crafted web requests into approving unintended file versions, resulting in unauthorized content modification within the CMS.
Affected Products
- Concrete CMS 9.5.0 and earlier
- Concrete CMS 9.x branch prior to 9.5.1
- Installations exposing the Backend\File::approveVersion workflow to users with edit_file_contents permission
Discovery Timeline
- 2026-05-22 - CVE-2026-8340 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-8340
Vulnerability Analysis
The vulnerability stems from missing CSRF protection on the Backend\File::approveVersion controller action in Concrete CMS. The endpoint accepts state-changing requests that modify which file version is published without validating an anti-CSRF token tied to the user session. An attacker hosts or injects a malicious page that issues a crafted request to the vulnerable endpoint. When a victim with edit_file_contents permission visits the page while authenticated, the browser submits the request with valid session cookies. The server processes the version approval as if the victim initiated it. User interaction is required, which limits exploit reliability but does not prevent abuse.
Root Cause
The root cause is the absence of synchronizer token validation on the approveVersion action. The controller treats authenticated session cookies as sufficient authorization, omitting the per-request token comparison that Concrete CMS applies to other state-changing endpoints. This omission satisfies the conditions of [CWE-352: Cross-Site Request Forgery].
Attack Vector
Exploitation requires a victim with the edit_file_contents permission to load attacker-controlled content while authenticated to the Concrete CMS instance. The attacker prepares an HTML page containing an auto-submitting form or fetch request pointing to the approveVersion endpoint, specifying the target file identifier and the version identifier to activate. The result is either a content downgrade to an older version or unauthorized publication of a co-editor's draft, producing a low integrity impact without affecting confidentiality or availability.
No verified public exploit code is available. See the ConcreteCMS 9.x Release Notes for vendor technical details.
Detection Methods for CVE-2026-8340
Indicators of Compromise
- File version approval events in Concrete CMS audit logs originating from unexpected HTTP referrers or external origins
- Unexplained reversion of files to older versions or activation of previously unpublished versions by editors
- Access log entries showing POST requests to the approveVersion action without a corresponding prior navigation to the file management UI
Detection Strategies
- Review Concrete CMS application logs for Backend\File::approveVersion invocations and correlate them with Referer headers that fall outside the trusted application domain
- Compare file version history against expected editorial workflows to flag anomalous version activations
- Monitor web server access logs for cross-origin POSTs to file management endpoints from authenticated editor sessions
Monitoring Recommendations
- Enable verbose logging on the Concrete CMS file management subsystem to capture version approval actions, including the acting user and source IP
- Forward web server and CMS application logs to a centralized SIEM for correlation with browsing telemetry
- Alert when file version downgrades occur outside business hours or from editors who do not typically manage the affected assets
How to Mitigate CVE-2026-8340
Immediate Actions Required
- Upgrade Concrete CMS to version 9.5.1 or later, which addresses the missing CSRF protection on approveVersion
- Audit recent file version changes to identify any unauthorized downgrades or premature publications and restore correct versions
- Review accounts holding the edit_file_contents permission and remove the permission from users who do not require it
Patch Information
The issue is resolved in Concrete CMS 9.5.1. Refer to the ConcreteCMS 9.x Release Notes for the official fix details and upgrade instructions.
Workarounds
- Restrict editor browsing during sessions by enforcing browser policies that block third-party cookies on the CMS domain, reducing CSRF reliability
- Place the Concrete CMS administrative interface behind a VPN or IP allowlist to limit exposure of authenticated sessions to untrusted web content
- Train users with edit_file_contents permission to log out of the CMS before browsing unrelated sites and to review file version histories regularly
# Configuration example: enforce SameSite=Strict on session cookies via web server
# Apache example for the Concrete CMS vhost
Header edit Set-Cookie ^(CONCRETE5.*)$ "$1; SameSite=Strict; Secure"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
