Umbraco CMS Content Delivery API Caching Vulnerability Allows Bypassing API Key Requirement

A vulnerability exists in the Umbraco CMS Content Delivery API in versions 13.0.0 prior to 13.9.3, 15.0.0 prior to 15.4.4, and 16.0.0 prior to 16.1.1. The issue arises when the API is configured to require an API key for access and output caching is enabled. In this scenario, caching does not account for the API key header, allowing users without a valid key to access cached responses for paths and queries that have been previously requested by users with a valid key. This vulnerability can be exploited to retrieve content from the API without proper authorization, potentially exposing sensitive information.

Impact

Exploitation of this vulnerability allows unauthorized users to access cached responses from the Content Delivery API, bypassing the API key requirement. This could lead to the unintentional exposure of sensitive content that should have been protected.

Remediation

Users can upgrade to Umbraco versions 13.9.3, 15.4.4, or 16.1.1 to address this vulnerability. Alternatively, the caching duration can be reduced or removed, or access to the Delivery API can be restricted by IP.