Skip to main content

Umbraco CMS EUVDEUVD-2026-36069

| CVE-2026-46616 MEDIUM
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-05-21 https://github.com/umbraco/Umbraco-CMS GHSA-2qjj-h6wp-c7h7
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Jun 12, 2026 - 19:37 NVD
5.4 (MEDIUM) 6.1 (MEDIUM)
Source Code Evidence Fetched
May 21, 2026 - 20:34 vuln.today
Analysis Generated
May 21, 2026 - 20:34 vuln.today

DescriptionNVD

Impact

Some of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from user-controlled query parameters vulnerable to malicious redirect attacks.

Patches

The issue is resolved in versions 17.4.0 and 13.14.0.

Workarounds

If users cannot upgrade immediately, they can mitigate the issue in their own site by ensuring every Razor form that posts to UmbLoginStatusController, UmbProfileController or UmbRegisterController passes a concrete, trusted RedirectUrl into Html.BeginUmbracoForm's route values.

For example:

cshtml
  @using (Html.BeginUmbracoForm<UmbLoginStatusController>(
      "HandleLogout",
      new { RedirectUrl = Model.Url() }))
  {
      <button type="submit">Log out</button>
  }

Resources

https://github.com/umbraco/Umbraco-CMS/pull/22565 https://github.com/umbraco/Umbraco-CMS/pull/22561

AnalysisAI

Open redirect vulnerability in Umbraco CMS Surface Controllers allows unauthenticated remote attackers to redirect authenticated victims to arbitrary external URLs following form submissions. The affected controllers - UmbLoginStatusController, UmbProfileController, and UmbRegisterController - accepted user-controlled RedirectUrl query parameters without validating that the destination was a local URL, enabling phishing and credential harvesting attacks. No public exploit code has been identified at time of analysis, and the issue is not listed in CISA KEV, but the CVSS score of 5.4 reflects low-complexity network exploitation requiring only victim interaction.

Technical ContextAI

Umbraco CMS is a .NET-based open-source CMS distributed as a NuGet package (pkg:nuget/Umbraco.Cms). Its Surface Controllers are ASP.NET MVC controllers that handle member-facing operations such as login, logout, profile update, and member registration. These controllers processed a RedirectUrl form parameter derived from query strings in Razor templates without invoking any URL validation. The root cause maps to CWE-601 (URL Redirection to Untrusted Site / 'Open Redirect'): the application trusted user-supplied redirect destinations unconditionally. The fix, visible in the PR diffs for UmbLoginStatusController.cs, UmbProfileController.cs, and UmbRegisterController.cs, adds an Url.IsLocalUrl() guard check before using the redirect value, ensuring only same-origin URLs are honored. This is a standard ASP.NET mitigation for CWE-601.

RemediationAI

The primary fix is to upgrade Umbraco.Cms to version 13.14.0 (LTS branch) or 17.4.0 (current branch), as confirmed by the vendor advisory at https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-2qjj-h6wp-c7h7. The upstream code changes are available in PR #22561 and PR #22565 at https://github.com/umbraco/Umbraco-CMS/pull/22561 and https://github.com/umbraco/Umbraco-CMS/pull/22565. For sites that cannot upgrade immediately, the vendor-recommended workaround is to ensure every Razor form that posts to UmbLoginStatusController, UmbProfileController, or UmbRegisterController explicitly passes a concrete, trusted RedirectUrl as a hardcoded route value within Html.BeginUmbracoForm - for example, using Model.Url() or a static relative path. This prevents user-controlled query parameters from populating the redirect destination. The trade-off of this workaround is that it requires auditing and modifying every affected template in the site's codebase, and any form that is missed remains vulnerable; a missed form could be exploited before the audit is complete. Upgrading is strongly preferred.

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Share

EUVD-2026-36069 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy