Description
Umbraco is an ASP.NET CMS. From 14.0.0 to before 16.5.1 and 17.2.2, A broken object-level authorization vulnerability exists in a backoffice API endpoint that allows authenticated users to assign domain-related data to content nodes without proper authorization checks. The issue is caused by insufficient authorization enforcement on the affected API endpoint, whereby via an API call, domains can be set on content nodes that the editor does not have permission to access (either via user group privileges or start nodes). This vulnerability is fixed in 16.5.1 and 17.2.2.
Published: 2026-03-10
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

Umbraco CMS has a broken object‑level authorization flaw in a backoffice API that lets any authenticated user assign domains to content nodes without proper access checks. This failure allows a user who should not have permission to modify a node to attach arbitrary domain data, potentially enabling domain hijacking, phishing, or brand impersonation. The weakness is classified as CWE‑639 and results in unauthorized data integrity compromise, but does not provide remote code execution or service disruption.

Affected Systems

The vulnerability affects Umbraco CMS versions from 14.0.0 up to, but not including, 16.5.1 and from older releases up to, but not including, 17.2.2. Users running these CMS releases should review their installations to determine if they are on a vulnerable version.

Risk and Exploitability

The CVSS base score is 5.4, indicating a moderate severity. The EPSS score is less than 1 %, showing a very low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated session and an API call to the affected endpoint; no additional privileges or network access beyond normal user credentials are needed. Given the limited exposure, the overall risk is moderate but should be addressed promptly to prevent potential domain manipulation.

Generated by OpenCVE AI on April 16, 2026 at 03:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched release (at least 16.5.1 or 17.2.2).
  • If immediate upgrade is not possible, restrict the backoffice API endpoint to administrators or remove domain assignment functionality entirely.
  • Monitor API activity for unauthorized domain assignment attempts and review user permissions to limit scope of access.

Generated by OpenCVE AI on April 16, 2026 at 03:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fpvf-fvp5-996r Umbraco Backoffice API Allows Unauthorized Modification of Domain Data
History

Wed, 18 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Umbraco umbraco Cms
CPEs cpe:2.3:a:umbraco:umbraco_cms:*:*:*:*:*:*:*:*
Vendors & Products Umbraco umbraco Cms

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Umbraco
Umbraco cms
Vendors & Products Umbraco
Umbraco cms

Tue, 10 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description Umbraco is an ASP.NET CMS. From 14.0.0 to before 16.5.1 and 17.2.2, A broken object-level authorization vulnerability exists in a backoffice API endpoint that allows authenticated users to assign domain-related data to content nodes without proper authorization checks. The issue is caused by insufficient authorization enforcement on the affected API endpoint, whereby via an API call, domains can be set on content nodes that the editor does not have permission to access (either via user group privileges or start nodes). This vulnerability is fixed in 16.5.1 and 17.2.2.
Title Umbraco Backoffice API Allows Unauthorized Modification of Domain Data
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Umbraco Cms Umbraco Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T15:58:54.874Z

Reserved: 2026-03-09T17:41:56.077Z

Link: CVE-2026-31832

cve-icon Vulnrichment

Updated: 2026-03-11T15:51:49.053Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T22:16:21.257

Modified: 2026-03-18T20:08:28.490

Link: CVE-2026-31832

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:15:22Z

Weaknesses