Description
Umbraco is an ASP.NET CMS. Prior to versions 13.14.0 and 17.4.0, some of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from user-controlled query parameters vulnerable to malicious redirect attacks. This issue has been patched in versions 13.14.0 and 17.4.0.
Published: 2026-06-10
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in Surface Controllers that support member operations within Umbraco CMS. These controllers fail to validate user‑controlled redirect URLs; a malicious actor can supply a crafted query parameter to redirect a legitimate user to an arbitrary site, potentially facilitating phishing or malware distribution. The flaw is a classic open‑redirect weakness (CWE‑601) and represents a moderate attack surface as it requires direct interaction with the application over the web.

Affected Systems

Any Umbraco CMS installation using the 13.x series prior to version 13.14.0 or the 17.x series before version 17.4.0 is impacted. The segmentation is limited to Surface Controllers handling member‑related requests; other parts of the CMS are not affected.

Risk and Exploitability

The CVSS score of 5.4 classifies the issue as moderate severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves a user supplying a crafted URL parameter that is not properly sanitized, allowing a redirection to an external site. No advanced prerequisites or privileged conditions are required beyond standard web access.

Generated by OpenCVE AI on June 10, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest available patch (UMBRACO‑CMS 13.14.0 or 17.4.0) to eliminate the open‑redirect flaw.
  • Configure the application to whitelist redirect URLs or remove the RedirectUrl query parameter altogether, ensuring redirects only target internal paths.
  • Validate all redirect input to confirm it matches an approved list of internal URLs before performing a redirect.

Generated by OpenCVE AI on June 10, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2qjj-h6wp-c7h7 Umbraco.Cms: Open Redirect Vulnerability in Surface Controllers
History

Wed, 10 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Umbraco
Umbraco cms
Vendors & Products Umbraco
Umbraco cms

Wed, 10 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description Umbraco is an ASP.NET CMS. Prior to versions 13.14.0 and 17.4.0, some of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from user-controlled query parameters vulnerable to malicious redirect attacks. This issue has been patched in versions 13.14.0 and 17.4.0.
Title Umbraco.Cms: Open Redirect Vulnerability in Surface Controllers
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Umbraco Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T19:31:20.183Z

Reserved: 2026-05-15T19:34:14.012Z

Link: CVE-2026-46616

cve-icon Vulnrichment

Updated: 2026-06-10T19:10:46.463Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-10T17:16:37.387

Modified: 2026-06-10T20:23:19.253

Link: CVE-2026-46616

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T19:30:36Z

Weaknesses