Main Vulnerability Database SB20260505108

SB20260505108 - Improper access control in Umbraco CMS

Published: May 5, 2026

Security Bulletin ID SB20260505108

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Improper access control (CVE-ID: CVE-2025-54425)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the content delivery API output caching mechanism when handling requests to cached delivery API paths and queries. A remote attacker can send a request without a valid API key to disclose sensitive information.

Exploitation is possible only when API key authorization and output caching are enabled together, and the requested path and query have recently been cached following a request with a valid key.

Remediation

Install update from vendor's website.

References

https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-75vq-qvhr-7ffr