CVE-2026-31834: CVE-2026-31834: Vertical Privilege Escalation in Umbraco CMS User Group Management

#security #cve #cybersecurity

CVE-2026-31834: Vertical Privilege Escalation in Umbraco CMS User Group Management

Vulnerability ID: CVE-2026-31834
CVSS Score: 7.2
Published: 2026-03-11

A vertical privilege escalation vulnerability in Umbraco CMS allows authenticated backoffice users with user management permissions to elevate their privileges to Administrator. The flaw stems from missing authorization checks during user group assignments, enabling unauthorized users to assign highly privileged roles.

TL;DR

Authenticated Umbraco CMS users with standard user management permissions can escalate privileges to Administrator by manipulating the user group assignment API payload.

Technical Details

CWE ID: CWE-269
Attack Vector: Network
CVSS Score: 7.2
EPSS Score: 0.00036
Impact: Complete CMS Compromise
Exploit Status: None
CISA KEV: No

Affected Systems

Umbraco CMS
Umbraco-CMS: 15.3.1 - < 16.5.1 (Fixed in: 16.5.1)
Umbraco-CMS: 17.0.0 - < 17.2.2 (Fixed in: 17.2.2)

Code Analysis

Commit: 040f27c

Implement user group assignment authorization

Commit: 5f389f8

Additional fixes for user group assignments

Commit: 11a412c

Finalize backoffice security accessor injection

Mitigation Strategies

Upgrade to patched versions 16.5.1 or 17.2.2
Revoke user management permissions from non-admin accounts
Implement SIEM alerts for /set-user-groups endpoint activity

Remediation Steps:

Identify the current Umbraco CMS version deployed in the environment.
Review user accounts and temporarily remove 'User Management' permissions from non-administrators.
Apply update 16.5.1 or 17.2.2 depending on the current major version track.
Verify that the update completes successfully and test user group assignment functionality.
Restore user management permissions to trusted accounts.