← back
CVE-2025-27601

Umbraco Allows Improper API Access Control to Low-Privilege Users to Data Type Functionality

CVSS 4.3 MEDIUMEPSS 0.3%CWE-285CWE-863
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 4.3EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
11 Mar 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Umbraco is a free and open source .NET content management system. An improper API access control issue has been identified Umbraco's API management package prior to versions 15.2.3 and 14.3.3, allowing low-privilege, authenticated users to create and update data type information that should be restricted to users with access to the settings section. The issue is patched in versions 15.2.3 and 14.3.3. No known workarounds are available.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Affected products
umbraco · Umbraco-CMS

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/umbraco/Umbraco-CMS/commit/d9fb6df16e9adf8656181cac8497fc5ba23321cdhttps://github.com/umbraco/Umbraco-CMS/commit/ebb6a580dc1da2c772a99838dc7b4660bf77eb9chttps://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-6ffg-mjg7-585x