Authorization Bypass in Umbraco CMS by Umbraco
CVE-2025-27602

4.9MEDIUM

Key Information:

Vendor

Umbraco

Status
Umbraco-cms
Vendor
CVE Published:
11 March 2025

What is CVE-2025-27602?

Umbraco CMS is a widely used open-source content management system built on the .NET framework. A vulnerability exists in its web backoffice program that allows authenticated users to manipulate API URLs. This manipulation enables them to retrieve or delete content and media residing in folders that they should not have access to, effectively breaching the intended access controls. The issue is resolved in versions 10.8.9 and 13.7.1, with no known workarounds available for earlier versions.

Affected Version(s)

Umbraco-CMS < 10.8.9 < 10.8.9

Umbraco-CMS >= 11.0.0-rc1, < 13.7.1 < 11.0.0-rc1, 13.7.1

References

https://github.com/umbraco/Umbraco-CMS/security/advisorie...
x_refsource_CONFIRM
https://github.com/umbraco/Umbraco-CMS/commit/5b54bed4066...
x_refsource_MISC
https://github.com/umbraco/Umbraco-CMS/commit/7888b9a4ce5...
x_refsource_MISC

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.