CVSS Score: 5.4 Published: 2026-03-11 Full Report: https://cvereports.com/reports/CVE-2026-31832
Umbraco CMS suffers from a Broken Object-Level Authorization (BOLA) vulnerability within its Management API. Authenticated backoffice users can bypass node-level boundary restrictions to view and modify domain and notification configurations for arbitrary content nodes. The flaw is rooted in missing resource-level authorization checks in specific API controllers.
Authenticated Umbraco backoffice users can bypass permissions to read or modify domain and notification settings of restricted content nodes due to missing resource-level authorization checks in the Management API controllers.
- CWE ID: CWE-639 (Authorization Bypass Through User-Controlled Key)
- Attack Vector: Network (API Request)
- Privileges Required: Low (Authenticated Backoffice User)
- CVSS v3.1 Score: 5.4 (Medium)
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
- Exploit Status: Proof of Concept
- Umbraco CMS (ASP.NET Core)
- Umbraco CMS: 14.0.0 - < 16.5.1 (Fixed in:
16.5.1) - Umbraco CMS: 17.0.0 - < 17.2.2 (Fixed in:
17.2.2)
- Upgrade Umbraco CMS to version 16.5.1 or 17.2.2
- Audit backoffice user accounts and permissions
- Monitor API logs for suspicious access to /domains and /notifications endpoints
Remediation Steps:
- Review current Umbraco CMS version deployed in the environment.
- Plan a maintenance window to apply the relevant patch (16.5.1 or 17.2.2).
- Verify the update applies the IAuthorizationService checks via unit or integration tests.
- Review backoffice logs for historical indicators of compromise.
- GitHub Advisory: GHSA-fpvf-fvp5-996r
- Fix Commit 11a412c0fd89c70af2fa76dd3478a3e8024dfeb2
- NVD Entry for CVE-2026-31832
- CVE.org Record
Generated by CVEReports - Automated Vulnerability Intelligence