Description
Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient authorization enforcement when modifying user group memberships. The affected functionality does not properly validate whether a user has sufficient privileges to assign highly privileged roles. This vulnerability is fixed in 16.5.1 and 17.2.2.
Published: 2026-03-10
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Now
AI Analysis

Impact

A deficiency in Umbraco CMS caused a vertical privilege escalation where authenticated backoffice users who can manage users may assign high‑privilege roles to themselves or others. The flaw lies in missing authorization checks on user group modifications, enabling the elevation of privileges without proper enforcement. This represents missing authorization checks (CWE‑269), insufficient access control (CWE‑284), and lack of privilege verification (CWE‑862). Consequently, a malicious or inadvertently misused authenticated user could gain administrative control over the site.

Affected Systems

The vulnerability affects Umbraco CMS versions from 15.3.1 up to, but not including, 16.5.1 and 17.2.2. Administrators should verify that their deployment runs a fixed release, namely 16.5.1 or 17.2.2, or later.

Risk and Exploitability

The CVSS score of 7.2 indicates moderate to high severity, while the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, implying no widespread publicly available exploits. Attackers would need authenticated backoffice access with user‑management rights to exploit the flaw, and could then promote themselves to a privileged role through the unprotected user group interface.

Generated by OpenCVE AI on April 16, 2026 at 09:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Umbraco to version 16.5.1 or 17.2.2, which implements proper authorization checks on user group changes.
  • Revoke or remove user‑management permissions from non‑administrator backoffice users until the fix is applied, ensuring that only critical roles can alter group memberships.
  • Audit backoffice role definitions and enforce least privilege, applying necessary restrictions and monitoring changes to user groups for anomalous activity.

Generated by OpenCVE AI on April 16, 2026 at 09:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rhcg-3h8r-v6vp Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks
History

Wed, 18 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:umbraco:umbraco_cms:*:*:*:*:*:*:*:*

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Umbraco
Umbraco umbraco Cms
Vendors & Products Umbraco
Umbraco umbraco Cms

Tue, 10 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient authorization enforcement when modifying user group memberships. The affected functionality does not properly validate whether a user has sufficient privileges to assign highly privileged roles. This vulnerability is fixed in 16.5.1 and 17.2.2.
Title Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks
Weaknesses CWE-269
CWE-284
CWE-862
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Umbraco Umbraco Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T15:58:38.854Z

Reserved: 2026-03-09T17:41:56.077Z

Link: CVE-2026-31834

cve-icon Vulnrichment

Updated: 2026-03-11T15:52:29.661Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T22:16:21.567

Modified: 2026-03-18T19:49:17.780

Link: CVE-2026-31834

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:30:06Z

Weaknesses