CVE-2026-2994 in Concrete
Summary
by MITRE • 03/04/2026
Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks z3rco for reporting
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/05/2026
This vulnerability exists within Concrete CMS versions prior to 9.4.8 and represents a cross-site request forgery flaw that can be exploited by a rogue administrator with existing access to the system. The vulnerability specifically occurs within the Anti-Spam Allowlist Group Configuration functionality where the system processes and saves changes to the group_id parameter before validating the CSRF token. This timing issue creates a window where malicious actions can be executed without proper authorization checks, effectively bypassing the intended security controls. The flaw allows an attacker who has already gained administrative privileges to manipulate the spam configuration settings in ways that could potentially weaken the system's anti-spam protections.
The technical implementation of this vulnerability stems from improper order of operations within the CMS's security validation mechanism. When an administrator attempts to modify the Anti-Spam Allowlist Group Configuration, the system should validate the CSRF token first before processing any parameter changes. However, in affected versions, the system saves the group_id parameter modifications before performing the CSRF token verification, creating a race condition where unauthorized requests can succeed if they are crafted to match the expected parameter values. This design flaw aligns with CWE-352, which specifically addresses cross-site request forgery vulnerabilities where the application fails to properly validate the authenticity of requests. The vulnerability demonstrates a weakness in the application's input validation and session management controls, as it allows for parameter manipulation without proper authentication verification.
The operational impact of this vulnerability is significant for organizations relying on Concrete CMS for their content management needs. A rogue administrator with legitimate access can exploit this flaw to modify spam protection settings, potentially allowing spam attacks to bypass system defenses or to create false positives that could disrupt legitimate user interactions. The CVSS v4.0 score of 2.3 indicates a low severity impact, but this assessment should be interpreted carefully as it reflects the base score without considering the specific threat environment. The vulnerability requires an existing administrator account to be exploited, which means it represents an internal threat rather than an external attack vector. However, the security implications are concerning because it allows for privilege escalation within the context of an already compromised administrative account, potentially enabling more extensive damage. The fact that changes are saved before CSRF validation creates a persistent risk where malicious modifications can be applied to the system's spam configuration without proper oversight.
Organizations should implement immediate mitigations to address this vulnerability by upgrading to Concrete CMS version 9.4.8 or later, which contains the necessary security patches to fix the improper CSRF token validation sequence. System administrators should also review existing administrator accounts for any unauthorized modifications to spam configuration settings and consider implementing additional monitoring controls around configuration changes. The mitigation strategy should include regular security audits of administrative activities and implementation of principle of least privilege controls to limit the scope of potential damage from compromised administrator accounts. This vulnerability highlights the importance of proper input validation ordering and CSRF protection implementation in web applications, particularly in content management systems where administrative functions have broad system impact. Organizations should also consider implementing additional security controls such as transaction logging and configuration change tracking to detect and respond to unauthorized modifications to security settings. The ATT&CK framework classification for this vulnerability would align with T1078 for valid accounts and T1566 for credential harvesting, as the flaw exploits existing administrative access to perform unauthorized configuration changes without detection.