Description
Umbraco Engage is a business intelligence platform. A vulnerability has been identified in Umbraco Engage prior to versions 16.2.1 and 17.1.1 where certain API endpoints are exposed without enforcing authentication or authorization checks. The affected endpoints can be accessed directly over the network without requiring a valid session or user credentials. By supplying a user-controlled identifier parameter (e.g., ?id=), an attacker can retrieve sensitive data associated with arbitrary records. Because no access control validation is performed, the endpoints are vulnerable to enumeration attacks, allowing attackers to iterate over identifiers and extract data at scale. An unauthenticated attacker can retrieve sensitive Engage-related data by directly querying the affected API endpoints. The vulnerability allows arbitrary record access through predictable or enumerable identifiers. The confidentiality impact is considered high. No direct integrity or availability impact has been identified. The scope of exposed data depends on the deployment but may include analytics data, tracking data, customer-related information, or other Engage-managed content. The vulnerability affects both v16 and v17. Patches have already been released. Users are advised to update to 16.2.1 or 17.1.1. No known workarounds are available.
Published: 2026-02-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access Exploitation
Action: Patch Now
AI Analysis

Impact

A vulnerability in Umbraco Engage prior to versions 16.2.1 and 17.1.1 allows attackers to hit specific API endpoints without any authentication or authorization checks. By supplying a user-controlled identifier such as "?id=", the endpoints return sensitive data tied to that identifier. Because the API performs no access control, an attacker can enumerate predictable or enumerable identifiers to harvest large volumes of analytics, tracking, customer, or other confidential Engage data, resulting in a high confidentiality impact. No integrity or availability impact has been identified.

Affected Systems

Affected products are Umbraco Engage (Umbraco.Engage.Forms). Versions earlier than 16.2.1 on the 16.x line and earlier than 17.1.1 on the 17.x line are vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, indicating a high severity. The EPSS score is less than 1%, implying a low likelihood of immediate exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit this weakness remotely by sending unauthenticated HTTP requests directly over the network to the exposed API endpoints. Since no authentication is required, exploitation is straightforward once the endpoints are discovered.

Generated by OpenCVE AI on April 17, 2026 at 14:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch to upgrade to v16.2.1 or v17.1.1.
  • Configure network controls or firewall rules to restrict public access to the affected API endpoints.
  • If the upgrade cannot be performed immediately, disable the exposed API endpoints or limit access via application configuration and consider implementing authentication mechanisms such as Basic auth, API keys, or JWT to enforce access control.

Generated by OpenCVE AI on April 17, 2026 at 14:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-86vq-ccwf-rm62 Umbraco.Engage.Forms Allows Unauthorized Access to Multiple API Endpoints
History

Tue, 03 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Umbraco
Umbraco umbraco Forms
Vendors & Products Umbraco
Umbraco umbraco Forms

Thu, 26 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Description Umbraco Engage is a business intelligence platform. A vulnerability has been identified in Umbraco Engage prior to versions 16.2.1 and 17.1.1 where certain API endpoints are exposed without enforcing authentication or authorization checks. The affected endpoints can be accessed directly over the network without requiring a valid session or user credentials. By supplying a user-controlled identifier parameter (e.g., ?id=), an attacker can retrieve sensitive data associated with arbitrary records. Because no access control validation is performed, the endpoints are vulnerable to enumeration attacks, allowing attackers to iterate over identifiers and extract data at scale. An unauthenticated attacker can retrieve sensitive Engage-related data by directly querying the affected API endpoints. The vulnerability allows arbitrary record access through predictable or enumerable identifiers. The confidentiality impact is considered high. No direct integrity or availability impact has been identified. The scope of exposed data depends on the deployment but may include analytics data, tracking data, customer-related information, or other Engage-managed content. The vulnerability affects both v16 and v17. Patches have already been released. Users are advised to update to 16.2.1 or 17.1.1. No known workarounds are available.
Title Umbraco.Engage.Forms Allows Unauthorized Access to Multiple API Endpoints
Weaknesses CWE-284
CWE-306
CWE-639
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Umbraco Umbraco Forms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-03T01:40:36.982Z

Reserved: 2026-02-19T17:25:31.100Z

Link: CVE-2026-27449

cve-icon Vulnrichment

Updated: 2026-03-03T01:40:31.023Z

cve-icon NVD

Status : Deferred

Published: 2026-02-26T22:20:47.960

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-27449

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:15:21Z

Weaknesses