CVE-2026-46616 umbraco CVE debrief

Who should care

Users of Umbraco CMS, particularly those with versions prior to 13.14.0 or 17.4.0, should be aware of this vulnerability. Site administrators and security teams should assess their current version and apply the necessary patches to mitigate the risk of malicious redirects.

Technical summary

The vulnerability is caused by insufficient validation of redirect URLs in some Surface Controllers of Umbraco CMS. Specifically, Razor templates that derive 'RedirectUrl' from user-controlled query parameters are vulnerable to malicious redirect attacks. The Common Vulnerabilities and Exposures (CVE) score for this issue is 5.4, indicating a MEDIUM severity level. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N.

Defensive priority

MEDIUM

Recommended defensive actions

• Upgrade to Umbraco CMS version 13.14.0 or 17.4.0, or later, to apply the patch.
• Review and validate all redirect URLs used in Surface Controllers to ensure they are properly sanitized.
• Implement additional security measures, such as URL whitelisting, to further mitigate the risk of malicious redirects.

Evidence notes

The vulnerability was patched in versions 13.14.0 and 17.4.0. References to the patches can be found at [ref-4](https://github.com/umbraco/Umbraco-CMS/pull/22561), [ref-5](https://github.com/umbraco/Umbraco-CMS/pull/22565), and [ref-6](https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-2qjj-h6wp-c7h7).

Official resources