CVE-2026-2994 Overview
CVE-2026-2994 is a Cross-Site Request Forgery (CSRF) vulnerability [CWE-352] affecting Concrete CMS versions below 9.4.8. The flaw resides in the Anti-Spam Allowlist Group Configuration feature, which processes the group_id parameter without validating the CSRF token before saving changes. An authenticated administrator-level victim can be coerced into submitting a forged request that modifies allowlist group configuration, resulting in a security bypass of the anti-spam control. The Concrete CMS security team assigned this issue a CVSS v4.0 score of 2.3. The vulnerability was reported by the researcher credited as z3rco.
Critical Impact
A rogue or tricked administrator can bypass anti-spam group allowlist controls in Concrete CMS, weakening platform-level abuse protections.
Affected Products
- Concrete CMS versions prior to 9.4.8
- Concrete CMS 9.x branch (Anti-Spam Allowlist Group Configuration component)
- Deployments exposing the administrative group_id configuration endpoint
Discovery Timeline
- 2026-03-04 - CVE-2026-2994 published to the National Vulnerability Database (NVD)
- 2026-03-04 - Last updated in the NVD database
Technical Details for CVE-2026-2994
Vulnerability Analysis
The vulnerability is a Cross-Site Request Forgery (CSRF) issue in the Anti-Spam Allowlist Group Configuration handler of Concrete CMS. The application persists configuration changes submitted through the group_id parameter before validating the anti-CSRF token. This order-of-operations defect breaks the protection model that CSRF tokens are intended to enforce. An attacker who lures an authenticated administrator to a malicious page can trigger state-changing requests against the CMS. Because the token check occurs after the save, the request modifies the allowlist even when the token is missing or invalid. The result is a bypass of the anti-spam allowlist control without requiring the attacker to know or steal the administrator's session token.
Root Cause
The root cause is improper sequencing in the request handler: changes to the allowlist group configuration are committed prior to validating the CSRF token. This violates the standard pattern where authenticity verification must occur before any state mutation. The associated weakness is classified as [CWE-352].
Attack Vector
Exploitation requires network access and user interaction. An attacker hosts a crafted page that issues an HTTP request to the vulnerable administrative endpoint with a controlled group_id value. When an authenticated Concrete CMS administrator visits the page, the browser submits the request with valid session cookies. The CMS saves the change before rejecting the request for an invalid CSRF token, leaving the configuration modified. See the GitHub Pull Request #12826 for technical details of the fix.
Detection Methods for CVE-2026-2994
Indicators of Compromise
- Unexpected modifications to the Anti-Spam Allowlist Group configuration in the Concrete CMS administrative dashboard.
- HTTP POST requests targeting the allowlist configuration endpoint that originate from external Referer or Origin headers.
- Audit log entries showing group_id parameter changes that do not correlate with planned administrator activity.
Detection Strategies
- Review web server access logs for requests to the Anti-Spam Allowlist Group Configuration endpoint with cross-origin referers.
- Correlate administrator session activity with configuration change events to identify out-of-band modifications.
- Inspect application audit trails for allowlist group changes lacking corresponding administrator UI navigation events.
Monitoring Recommendations
- Alert on HTTP requests to administrative Concrete CMS endpoints where the Origin or Referer header does not match the CMS hostname.
- Monitor for spikes in spam or abusive content that may indicate a successful allowlist bypass.
- Track changes to anti-spam configuration tables in the database and notify on unattended modifications.
How to Mitigate CVE-2026-2994
Immediate Actions Required
- Upgrade Concrete CMS to version 9.4.8 or later, which reorders the request flow to validate the CSRF token before saving changes.
- Audit current Anti-Spam Allowlist Group configurations for unauthorized entries and revert any unexpected changes.
- Restrict access to administrative URLs by IP allowlisting or VPN until the upgrade is applied.
Patch Information
The fix is included in Concrete CMS 9.4.8. Refer to the ConcreteCMS 9.x Release Notes and the corresponding GitHub Pull Request #12826 for the code change that enforces CSRF validation prior to persisting group_id updates.
Workarounds
- Instruct administrators to log out of Concrete CMS sessions when not actively managing the site to reduce CSRF exposure.
- Deploy a web application firewall (WAF) rule that blocks requests to the allowlist configuration endpoint when Origin or Referer headers are absent or external.
- Use browser isolation or a dedicated administrative browser profile for Concrete CMS management activities.
# Example WAF rule (ModSecurity) to block cross-origin POSTs to admin endpoints
SecRule REQUEST_METHOD "@streq POST" \
"id:1002994,phase:1,deny,status:403,\
chain,msg:'CVE-2026-2994 CSRF mitigation - cross-origin admin POST blocked'"
SecRule REQUEST_URI "@contains /dashboard/system/permissions/antispam" \
"chain"
SecRule &REQUEST_HEADERS:Origin "@eq 0" \
"t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
