Umbraco CMS CVE-2026-46616
MEDIUM
GHSA-2qjj-h6wp-c7h7
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionNVD
Impact
Some of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from user-controlled query parameters vulnerable to malicious redirect attacks.
Patches
The issue is resolved in versions 17.4.0 and 13.14.0.
Workarounds
If users cannot upgrade immediately, they can mitigate the issue in their own site by ensuring every Razor form that posts to UmbLoginStatusController, UmbProfileController or UmbRegisterController passes a concrete, trusted RedirectUrl into Html.BeginUmbracoForm's route values.
For example:
@using (Html.BeginUmbracoForm<UmbLoginStatusController>(
"HandleLogout",
new { RedirectUrl = Model.Url() }))
{
<button type="submit">Log out</button>
}Resources
https://github.com/umbraco/Umbraco-CMS/pull/22565 https://github.com/umbraco/Umbraco-CMS/pull/22561
AnalysisAI
Open redirect vulnerability in Umbraco CMS Surface Controllers allows unauthenticated remote attackers to redirect authenticated victims to arbitrary external URLs following form submissions. The affected controllers - UmbLoginStatusController, UmbProfileController, and UmbRegisterController - accepted user-controlled RedirectUrl query parameters without validating that the destination was a local URL, enabling phishing and credential harvesting attacks. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today