External risk intelligence

Concrete CMS Package Download Vulnerability.

CVE advisorySeverity: HIGH (CVSS 7.5)

CVE-2026-8140

Concrete CMS installations are affected by a vulnerability that allows an attacker to trick an authenticated administrator into downloading arbitrary marketplace packages, potentially leading to unauthorized software installation. The risk involves an unauthenticated attacker leveraging a CSRF flaw and an administrator

3Halo Surface Signal

Cross-site Request Forgery

Concretecms Concrete Cms

9.5.0 and earlier

External exposure likelihood

Halo Surface Signal score for CVE-2026-8140

The vulnerability resides in a specific administrative dashboard route of a CMS. While Concrete CMS instances are often web-accessible, this flaw requires a targeted victim with administrative privileges to be deceived into visiting a crafted URL, rather than being a directly exploitable public-facing service endpoint.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability affects Concrete CMS installations. The flaw allows an attacker to trick an authenticated administrator into downloading an arbitrary marketplace package. This could lead to the installation of unauthorized or malicious software on the organization's systems.

  • Vulnerable CMS dashboard feature
  • Missing security token validation
  • Unauthorized package installation

Attack Path

How an attacker could exploit the issue

The described attack path involves an unauthenticated attacker exploiting a Cross-Site Request Forgery (CSRF) vulnerability in Concrete CMS. This occurs when an authenticated administrator visits a malicious page, leading to an unauthorized package download. The CMS fails to validate a CSRF token before processing requests to a specific dashboard endpoint, allowing an attacker to interfere with system integrity. The administrator's session is leveraged to execute this unauthorized action.

  • Vulnerable endpoint exposed externally.
  • Attacker crafts a malicious webpage.
  • Administrator visits page; arbitrary package downloads.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Concrete CMS allows an unauthenticated attacker to potentially download arbitrary marketplace packages to an organization's servers. The attack requires tricking an authenticated administrator into visiting a malicious link, and the organization's site must be connected to the Concrete marketplace. This could lead to the installation of unapproved or malicious software, posing a significant risk to the integrity and security of business systems.

  • Attacker skill level: High
  • Required access or conditions: Authenticated administrator, site connected to marketplace
  • Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability allows an unauthenticated attacker to force the download of arbitrary marketplace packages on affected systems. The attack requires an authenticated administrator to visit a malicious link, and the site must be connected to the Concrete marketplace. The primary risk is the potential for unauthorized code execution if a malicious package is installed.

  • Find all Concrete CMS instances.
  • Restrict access to the dashboard installation endpoint.
  • Update Concrete CMS to the latest version and monitor for related activity.

Frequently asked questions

What is the primary function of the vulnerable Concrete CMS dashboard endpoint?

The vulnerable endpoint in Concrete CMS, specifically /dashboard/extend/install/download/<remoteId>, is designed to allow administrators to download and install packages from the Concrete marketplace. However, it fails to validate a CSRF token, creating a security risk.

What weakness class describes the Concrete CMS vulnerability?

This vulnerability is classified as a Cross-Site Request Forgery (CSRF) due to the lack of token validation before processing requests to the download endpoint.

How can an attacker trigger the arbitrary package download vulnerability?

An attacker can exploit this by crafting a malicious webpage. When an authenticated administrator visits this page, the attacker can force the download of an arbitrary marketplace package because the CMS endpoint does not validate a CSRF token.

What is the relevance of CVE-2026-8140 for an organization?

This vulnerability poses a significant risk as it allows an unauthenticated attacker to potentially install unauthorized or malicious software on an organization's systems by tricking an administrator into downloading an arbitrary package from the Concrete marketplace.

What steps should be taken to address the Concrete CMS vulnerability?

To mitigate this risk, organizations should identify all Concrete CMS instances, restrict access to the dashboard installation endpoint, and update Concrete CMS to a version beyond 9.5.0. Continuous monitoring for suspicious activity is also recommended.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified