Authorization Vulnerability in Umbraco CMS Versions 14.0.0 to 16.5.1 and 17.2.2
CVE-2026-31832

5.4MEDIUM

Key Information:

Vendor: Umbraco
Status: Umbraco-cms
Vendor: CVE Published:; 10 March 2026

What is CVE-2026-31832?

A broken object-level authorization vulnerability exists in an API endpoint of Umbraco CMS, allowing authenticated users to improperly assign domain-related data to content nodes without sufficient authorization checks. This situation occurs due to inadequate enforcement of authorization policies, enabling users to make API calls that set domains on content nodes beyond their permitted access scopes. Affected versions range from 14.0.0 up to 16.5.1 and 17.2.2. Remediation is achieved in subsequent releases.

Affected Version(s)

Umbraco-CMS >= 14.0.0, < 16.5.1 < 14.0.0, 16.5.1

Umbraco-CMS >= 17.0.0, < 17.2.0 < 17.0.0, 17.2.0

References

https://github.com/umbraco/Umbraco-CMS/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 10, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31832 Data

JSON