Auth bypass in Umbraco Umbraco-cms
CVE-2025-27602
Umbraco is a free and open source .NET content management system. In versions of Umbraco's web backoffice program prior to versions 10.8.9 and 13.7.1, via manipulation of backoffice API URLs, it's possible for authenticated backoffice user…
EPSS: 0.002 (41.3th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 4.9 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N.
Affected products
- Umbraco Umbraco-cms — versions < 10.8.9, >= 11.0.0-rc1, < 13.7.1
Weakness classification (CWE)
References
- https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-wx5h-wqfq-v698 (x_refsource_CONFIRM)
- https://github.com/umbraco/Umbraco-CMS/commit/5b54bed406682ceff57903bf7d3c57814eef31a7 (x_refsource_MISC)
- https://github.com/umbraco/Umbraco-CMS/commit/7888b9a4ce5ae7f9bda7ff3bb705b8fcd2f1675d (x_refsource_MISC)
Frequently asked questions
- What is CVE-2025-27602?
- CVE-2025-27602 is a medium-severity vulnerability in Umbraco Umbraco-cms, classified under Improper Authorization. CVSS score: 4.9/10. Published 2025-03-11.
- How severe is CVE-2025-27602?
- Medium severity. CVSS v3 base score is 4.9 out of 10.