DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2021-47776: Umbraco Unchained: The 'baseUrl' SSRF Nightmare

#security #cve #cybersecurity

Umbraco Unchained: The 'baseUrl' SSRF Nightmare

Vulnerability ID: CVE-2021-47776
CVSS Score: 6.9
Published: 2026-01-15

A classic Server-Side Request Forgery (SSRF) vulnerability in the Umbraco CMS BackOffice allows authenticated users to turn the web server into an open proxy. By manipulating the baseUrl parameter in help and dashboard controllers, attackers can scan internal networks or exfiltrate cloud metadata.

TL;DR

Umbraco v8.14.1 trusted user input a little too much. Specifically, the BackOffice API blindly accepted a baseUrl parameter to fetch help documentation and dashboard widgets. An authenticated attacker could modify this parameter to point to http://169.254.169.254 (or any internal IP), forcing the server to fetch and display sensitive data like AWS credentials or internal service responses. The fix involves implementing a strict allowlist for remote resource fetching.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-918
  • Attack Vector: Network
  • CVSS v4.0: 6.9 (Medium)
  • Authentication: Required (BackOffice)
  • Impact: Confidentiality (High), Integrity (Low)
  • Exploit Status: PoC Available

Affected Systems

  • Umbraco CMS v8.14.1
  • Umbraco Cloud (prior to July 2021 patch)
  • Umbraco CMS: = 8.14.1 (Fixed in: 8.14.2)

Exploit Details

  • Exploit-DB: Umbraco CMS 8.14.1 - 'baseUrl' Server-Side Request Forgery (SSRF)

Mitigation Strategies

  • Update Umbraco CMS to version 8.14.2 or 8.15.0 immediately.
  • Implement Egress Filtering (Outbound Firewall Rules) to block server access to internal IP ranges (10.0.0.0/8, 192.168.0.0/16, etc.) and cloud metadata IPs (169.254.169.254).
  • Restrict access to the Umbraco BackOffice (/umbraco) to trusted IP addresses only.

Remediation Steps:

  1. Check your current Umbraco version in the web.config file or the BackOffice help section.
  2. If version is 8.14.1, backup your database and media files.
  3. Use NuGet Package Manager to upgrade the UmbracoCms package to the latest stable v8 release.
  4. Verify the fix by attempting the PoC payload against a non-production instance.

References

Read the full report for CVE-2021-47776 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)