Umbraco CVE-2025-27601
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Umbraco is a free and open source .NET content management system. An improper API access control issue has been identified Umbraco's API management package prior to versions 15.2.3 and 14.3.3, allowing low-privilege, authenticated users to create and update data type information that should be restricted to users with access to the settings section. The issue is patched in versions 15.2.3 and 14.3.3. No known workarounds are available.
AnalysisAI
Umbraco is a free and open source .NET content management system. [CVSS 4.3 MEDIUM]
Technical ContextAI
Classified as CWE-285 (Improper Authorization). Affects s API management package. Umbraco is a free and open source .NET content management system. An improper API access control issue has been identified Umbraco's API management package prior to versions 15.2.3 and 14.3.3, allowing low-privilege, authenticated users to create and update data type information that should be restricted to users with access to the settings section. The issue is patched in versions 15.2.3 and 14.3.3. No known workarounds are available.
Affected ProductsAI
Product: s API management package. Versions: up to 15.2.3.
RemediationAI
A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.
Same weakness CWE-285 – Improper Authorization
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-6ffg-mjg7-585x