DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27449: Unauthenticated Data Exposure via Broken Access Control in Umbraco Engage

#security #cve #cybersecurity

Unauthenticated Data Exposure via Broken Access Control in Umbraco Engage

Vulnerability ID: CVE-2026-27449
CVSS Score: 7.5
Published: 2026-02-27

A critical access control failure has been identified in Umbraco Engage (formerly uMarketingSuite), specifically affecting the Forms component. The vulnerability arises from missing authentication and authorization checks on sensitive API endpoints, allowing unauthenticated remote attackers to access proprietary marketing data and form submissions. By exploiting this flaw, attackers can bypass intended security boundaries and enumerate records via Insecure Direct Object References (IDOR), leading to significant data leakage of business intelligence and potentially personally identifiable information (PII).

TL;DR

CVE-2026-27449 permits unauthenticated attackers to query internal Umbraco Engage API endpoints. By manipulating ID parameters, attackers can scrape sensitive form and analytics data. Immediate patching to versions 16.2.1 or 17.1.1 is required.

⚠️ Exploit Status: POC

Technical Details

  • CVE ID: CVE-2026-27449
  • CVSS v3.1: 7.5 (High)
  • CWE IDs: CWE-284, CWE-306, CWE-639
  • Attack Vector: Network
  • Privileges Required: None
  • Impact: Confidentiality (High)

Affected Systems

  • Umbraco Engage (uMarketingSuite)
  • Umbraco.Engage.Forms
  • Umbraco.Engage.Forms: < 16.2.1 (Fixed in: 16.2.1)
  • Umbraco.Engage.Forms: >= 17.0.0, < 17.1.1 (Fixed in: 17.1.1)

Mitigation Strategies

  • Update Umbraco Engage packages to fixed versions immediately.
  • Implement Web Application Firewall (WAF) rules to restrict access to '/umbraco/' API paths.
  • Restrict network access to backoffice APIs via VPN or IP allowlisting.

Remediation Steps:

  1. Identify the current version of Umbraco.Engage.Forms or uMarketingSuite running in the environment.
  2. If running version 16.x, update the NuGet package to version 16.2.1.
  3. If running version 17.x, update the NuGet package to version 17.1.1.
  4. Rebuild and redeploy the application to the production environment.
  5. Verify the fix by attempting to access the Engage API endpoints without an active session; the server should now return a 401 Unauthorized or 302 Redirect to login.

References

Read the full report for CVE-2026-27449 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)