Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionNVD
Impact
Some of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from user-controlled query parameters vulnerable to malicious redirect attacks.
Patches
The issue is resolved in versions 17.4.0 and 13.14.0.
Workarounds
If users cannot upgrade immediately, they can mitigate the issue in their own site by ensuring every Razor form that posts to UmbLoginStatusController, UmbProfileController or UmbRegisterController passes a concrete, trusted RedirectUrl into Html.BeginUmbracoForm's route values.
For example:
@using (Html.BeginUmbracoForm<UmbLoginStatusController>(
"HandleLogout",
new { RedirectUrl = Model.Url() }))
{
<button type="submit">Log out</button>
}Resources
https://github.com/umbraco/Umbraco-CMS/pull/22565 https://github.com/umbraco/Umbraco-CMS/pull/22561
AnalysisAI
Open redirect vulnerability in Umbraco CMS Surface Controllers allows unauthenticated remote attackers to redirect authenticated victims to arbitrary external URLs following form submissions. The affected controllers - UmbLoginStatusController, UmbProfileController, and UmbRegisterController - accepted user-controlled RedirectUrl query parameters without validating that the destination was a local URL, enabling phishing and credential harvesting attacks. No public exploit code has been identified at time of analysis, and the issue is not listed in CISA KEV, but the CVSS score of 5.4 reflects low-complexity network exploitation requiring only victim interaction.
Technical ContextAI
Umbraco CMS is a .NET-based open-source CMS distributed as a NuGet package (pkg:nuget/Umbraco.Cms). Its Surface Controllers are ASP.NET MVC controllers that handle member-facing operations such as login, logout, profile update, and member registration. These controllers processed a RedirectUrl form parameter derived from query strings in Razor templates without invoking any URL validation. The root cause maps to CWE-601 (URL Redirection to Untrusted Site / 'Open Redirect'): the application trusted user-supplied redirect destinations unconditionally. The fix, visible in the PR diffs for UmbLoginStatusController.cs, UmbProfileController.cs, and UmbRegisterController.cs, adds an Url.IsLocalUrl() guard check before using the redirect value, ensuring only same-origin URLs are honored. This is a standard ASP.NET mitigation for CWE-601.
RemediationAI
The primary fix is to upgrade Umbraco.Cms to version 13.14.0 (LTS branch) or 17.4.0 (current branch), as confirmed by the vendor advisory at https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-2qjj-h6wp-c7h7. The upstream code changes are available in PR #22561 and PR #22565 at https://github.com/umbraco/Umbraco-CMS/pull/22561 and https://github.com/umbraco/Umbraco-CMS/pull/22565. For sites that cannot upgrade immediately, the vendor-recommended workaround is to ensure every Razor form that posts to UmbLoginStatusController, UmbProfileController, or UmbRegisterController explicitly passes a concrete, trusted RedirectUrl as a hardcoded route value within Html.BeginUmbracoForm - for example, using Model.Url() or a static relative path. This prevents user-controlled query parameters from populating the redirect destination. The trade-off of this workaround is that it requires auditing and modifying every affected template in the site's codebase, and any form that is missed remains vulnerable; a missed form could be exploited before the audit is complete. Upgrading is strongly preferred.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36069
GHSA-2qjj-h6wp-c7h7