Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.3
Concrete CMS allows attackers to bypass security settings
CVE-2026-2994
GHSA-6mxw-2vhf-42g5
Summary
Old versions of Concrete CMS are vulnerable to a security risk where attackers can bypass security settings by tricking the system into making unauthorized changes. This can happen if you're using an outdated version of Concrete CMS and an attacker is able to trick your administrators into making a specific type of change. To fix this, update to version 9.4.8 or later.
What to do
- Update concrete5 concrete5 to version 9.4.8.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| concrete5 | concrete5 | <= 9.4.8 | 9.4.8 |
| concretecms | concrete_cms | <= 9.4.8 | – |
Original title
Concrete CMS vulnerable to Cross-Site Request Forgery (CSRF)
Original description
Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token.
The Concrete CMS security team thanks z3rco for reporting
The Concrete CMS security team thanks z3rco for reporting
nvd CVSS3.1
6.8
nvd CVSS4.0
2.3
Vulnerability type
CWE-352
Cross-Site Request Forgery (CSRF)
- https://documentation.concretecms.org/9-x/developers/introduction/version-histor... Release Notes Patch Vendor Advisory
- https://github.com/concretecms/concretecms/pull/12826 Exploit Issue Tracking Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-2994
- https://github.com/advisories/GHSA-6mxw-2vhf-42g5
Published: 4 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026