Main Vulnerability Database Vulnerabilities #VU130186

Improper access control in Umbraco CMS - CVE-2025-54425

Published: May 5, 2026

Vulnerability identifier: #VU130186

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-54425

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Umbraco

Affected software:
Umbraco CMS

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the content delivery API output caching mechanism when handling requests to cached delivery API paths and queries. A remote attacker can send a request without a valid API key to disclose sensitive information.

Exploitation is possible only when API key authorization and output caching are enabled together, and the requested path and query have recently been cached following a request with a valid key.

How to mitigate CVE-2025-54425

Install security update from vendor's website.

Sources

https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-75vq-qvhr-7ffr

Improper access control in Umbraco CMS - CVE-2025-54425

Detailed vulnerability description

How to mitigate CVE-2025-54425

Sources

Please verify you're human