Privilege Escalation Vulnerability in Umbraco CMS by Umbraco
CVE-2026-31834

7.2HIGH

Key Information:

Vendor: Umbraco
Status: Umbraco-cms
Vendor: CVE Published:; 10 March 2026

What is CVE-2026-31834?

Umbraco, a widely used ASP.NET CMS, contains a privilege escalation vulnerability that affects authenticated backoffice users with user management permissions. This issue originates from inadequate authorization checks during the modification of user group memberships, allowing users to potentially elevate their privileges beyond their intended access level. The flaw exists in Umbraco CMS versions from 15.3.1 up to but not including 16.5.1, as well as 17.2.2. This vulnerability poses a significant risk, especially for organizations relying on Umbraco for content management. Mitigation is achievable by updating to the latest versions, 16.5.1 or 17.2.2, where the issue has been resolved.

Affected Version(s)

Umbraco-CMS >= 15.3.1, < 16.5.1 < 15.3.1, 16.5.1

Umbraco-CMS >= 17.0.0, < 17.2.1 < 17.0.0, 17.2.1

References

https://github.com/umbraco/Umbraco-CMS/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 10, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31834 Data

JSON