API Security Flaw in Umbraco Engage Business Intelligence Platform
CVE-2026-27449

7.5HIGH

Key Information:

Vendor: Umbraco
Status: Umbraco.engage.forms
Vendor: CVE Published:; 26 February 2026

What is CVE-2026-27449?

A security flaw has been discovered in Umbraco Engage prior to versions 16.2.1 and 17.1.1, where specific API endpoints lack necessary authentication and authorization checks. These endpoints are accessible over the network without requiring user credentials or a valid session, enabling unauthenticated attackers to exploit the vulnerability. By manipulating a user-controlled identifier parameter, attackers can enumerate through records and potentially extract a wide range of sensitive data, including analytics and customer information. This highlights a significant risk to data confidentiality and emphasizes the necessity for users to upgrade to the latest patched versions to safeguard against such threats.

Affected Version(s)

Umbraco.Engage.Forms < 16.2.1 < 16.2.1

Umbraco.Engage.Forms >= 17.0.0, < 17.1.1 < 17.0.0, 17.1.1

References

https://github.com/umbraco/Umbraco.Engage.Issues/security...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 26, 2026
Vulnerability Reserved
Feb 19, 2026

CVE-2026-27449 Data

JSON