CVE-2026-31832
MEDIUM
GHSA-fpvf-fvp5-996r
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
3Description
Umbraco is an ASP.NET CMS. From 14.0.0 to before 16.5.1 and 17.2.2, A broken object-level authorization vulnerability exists in a backoffice API endpoint that allows authenticated users to assign domain-related data to content nodes without proper authorization checks. The issue is caused by insufficient authorization enforcement on the affected API endpoint, whereby via an API call, domains can be set on content nodes that the editor does not have permission to access (either via user group privileges or start nodes). This vulnerability is fixed in 16.5.1 and 17.2.2.
Analysis
Umbraco CMS versions 14.0.0 through 16.5.0 and 17.0.0-17.2.1 contain an authorization bypass in a backoffice API endpoint that allows authenticated editors to assign domain configurations to content nodes they lack permission to access. An attacker with valid credentials could exploit this to modify domain settings on restricted content, potentially affecting content visibility or routing. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today