SB20260505109 - Multiple vulnerabilities in Umbraco CMS
Published: May 5, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-31832)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify domain-related data for content nodes without proper authorization.
The vulnerability exists due to broken object-level authorization in a backoffice API endpoint when handling API requests to assign domains to content nodes. A remote user can send a crafted API request to modify domain-related data for content nodes without proper authorization.
This may result in malicious or unintended routing behavior, service disruption, and potential disclosure of configuration-related information.
2) Cross-site scripting (CVE-ID: CVE-2026-31833)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary script in other backoffice users' browsers.
The vulnerability exists due to cross-site scripting in the UFM rendering pipeline when rendering property type descriptions containing malicious HTML. A remote privileged user can inject event handler attributes into supported web components to execute arbitrary script in other backoffice users' browsers.
Only backoffice users with access to Settings can exploit this issue, and the injected payload is stored in property type descriptions.
3) Missing Authorization (CVE-ID: CVE-2026-31834)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to missing authorization in user group membership management functionality when modifying user group memberships. A remote privileged user can assign highly privileged roles to escalate privileges.
Exploitation requires access to the "Users" section in the backoffice.
Remediation
Install update from vendor's website.
References
- https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-fpvf-fvp5-996r
- https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-vrqc-59mw-qqg7
- https://docs.umbraco.com/umbraco-cms/reference/umbraco-flavored-markdown
- https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-rhcg-3h8r-v6vp