DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-31832: CVE-2026-31832: Broken Object-Level Authorization in Umbraco CMS Management API

#security #cve #cybersecurity

CVE-2026-31832: Broken Object-Level Authorization in Umbraco CMS Management API

Vulnerability ID: CVE-2026-31832
CVSS Score: 5.4
Published: 2026-03-11

Umbraco CMS suffers from a Broken Object-Level Authorization (BOLA) vulnerability within its Management API. Authenticated backoffice users can bypass node-level boundary restrictions to view and modify domain and notification configurations for arbitrary content nodes. The flaw is rooted in missing resource-level authorization checks in specific API controllers.

TL;DR

Authenticated Umbraco backoffice users can bypass permissions to read or modify domain and notification settings of restricted content nodes due to missing resource-level authorization checks in the Management API controllers.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-639 (Authorization Bypass Through User-Controlled Key)
  • Attack Vector: Network (API Request)
  • Privileges Required: Low (Authenticated Backoffice User)
  • CVSS v3.1 Score: 5.4 (Medium)
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low
  • Exploit Status: Proof of Concept

Affected Systems

  • Umbraco CMS (ASP.NET Core)
  • Umbraco CMS: 14.0.0 - < 16.5.1 (Fixed in: 16.5.1)
  • Umbraco CMS: 17.0.0 - < 17.2.2 (Fixed in: 17.2.2)

Code Analysis

Commit: 11a412c

Official Fix Commit injecting IAuthorizationService and explicit resource checks into Management API controllers.

Mitigation Strategies

  • Upgrade Umbraco CMS to version 16.5.1 or 17.2.2
  • Audit backoffice user accounts and permissions
  • Monitor API logs for suspicious access to /domains and /notifications endpoints

Remediation Steps:

  1. Review current Umbraco CMS version deployed in the environment.
  2. Plan a maintenance window to apply the relevant patch (16.5.1 or 17.2.2).
  3. Verify the update applies the IAuthorizationService checks via unit or integration tests.
  4. Review backoffice logs for historical indicators of compromise.

References

Read the full report for CVE-2026-31832 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)