Threat Advisory

Umbraco Backoffice API Allows Unauthorized Modification of Domain Data

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Medium
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

The vulnerability CVE-2026-31832 affects the Umbraco .Cms package and stems from a broken object-level authorization issue in a backoffice API endpoint. The flaw allows authenticated users with limited privileges to modify domain-related configurations on content nodes that they are not authorized to manage. By sending crafted API requests, an attacker could assign or alter domain settings for nodes outside their permitted scope. This occurs because the affected API endpoint does not properly validate user permissions when applying domain assignments. The vulnerability impacts Umbraco .Cms versions ≥ 14.0.0 and < 16.5.1, and ≥ 17.0.0 and < 17.2.2. Successful exploitation may enable unauthorized configuration changes that could affect site routing behavior or disrupt service functionality. Additionally, improper modification of domain mappings may expose configuration-related information or lead to unintended content routing across domains. The issue has been assigned a CVSS score of 5.4, indicating moderate severity.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

The vulnerability CVE-2026-31832 affects the Umbraco .Cms package and stems from a broken object-level authorization issue in a backoffice API endpoint. The flaw allows authenticated users with limited privileges to modify domain-related configurations on content nodes that they are not authorized to manage. By sending crafted API requests, an attacker could assign or alter domain settings for nodes outside their permitted scope. This occurs because the affected API endpoint does not properly validate user permissions when applying domain assignments. The vulnerability impacts Umbraco .Cms versions ≥ 14.0.0 and < 16.5.1, and ≥ 17.0.0 and < 17.2.2. Successful exploitation may enable unauthorized configuration changes that could affect site routing behavior or disrupt service functionality. Additionally, improper modification of domain mappings may expose configuration-related information or lead to unintended content routing across domains. The issue has been assigned a CVSS score of 5.4, indicating moderate severity.[emaillocker id="1283"]

RECOMMENDATION:

We strongly recommend you update Umbraco .Cms to version 16.5.1, 17.2.2.

REFERENCES:

The following reports contain further technical details:

https://github.com/advisories/GHSA-fpvf-fvp5-996r

[/emaillocker]
crossmenu