Primary

Context

Umbraco CMS Broken Object-Level Authorization Vulnerability in Backoffice API

Vulnerability

Patched

A broken object-level authorization vulnerability has been identified in Umbraco CMS versions 14.0.0 prior to 16.5.1 and 17.2.2. This vulnerability exists in a backoffice API endpoint, allowing authenticated users to assign domain-related data to content nodes without proper authorization checks. The issue arises from insufficient authorization enforcement, enabling editors to set domains on content nodes they do not have permission to access, either through user group privileges or start nodes.

Impact

Exploitation of this vulnerability allows unauthorized modification of domain configurations for content nodes, potentially leading to malicious or unintended routing behavior, service disruption, and disclosure of configuration-related information.

Remediation

Users can upgrade to Umbraco CMS versions 16.5.1 or 17.2.2 to address this vulnerability.

Added: Mar 10, 2026, 10:19 PM

Updated: Mar 10, 2026, 10:19 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

0.6

exploitability

5.4

remediation

7.7

relevance

3.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

0.6

exploitability

5.4

remediation

7.7

relevance

3.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Umbraco CMS Broken Object-Level Authorization Vulnerability in Backoffice API

Vulnerability

Impact

Remediation

Affected Products

Umbraco

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating