Main Vulnerability Database Vulnerabilities #VU130183

Improper access control in Umbraco CMS - CVE-2023-37267

Published: July 13, 2023 / Updated: May 5, 2026

Vulnerability identifier: #VU130183

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-37267

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Umbraco

Affected software:
Umbraco CMS

Detailed vulnerability description

The vulnerability allows a remote attacker to gain admin-level access to the backoffice.

The vulnerability exists due to improper access control in the backoffice installation mode when Umbraco is restarted while the database is unavailable and then the connection is re-established. A remote attacker can cause the application to boot into installation mode and reset admin credentials to gain admin-level access to the backoffice.

User interaction is required.

How to mitigate CVE-2023-37267

Install security update from vendor's website.

Sources

https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-h8wc-r4jh-mg7m

Improper access control in Umbraco CMS - CVE-2023-37267

Detailed vulnerability description

How to mitigate CVE-2023-37267

Sources

Please verify you're human