Listen to this Post
The vulnerability arises because the `Umbraco.Cms` package fails to validate certain redirect URLs, specifically within specific Surface Controllers (such as UmbLoginStatusController, UmbProfileController, and UmbRegisterController) that handle member-related operations. The affected Surface Controller endpoints directly accept user input for the `RedirectUrl` parameter without performing proper validation on its destination. An attacker can exploit this by crafting a login, profile update, or registration request that contains a malicious redirect URL. When an unsuspecting victim interacts with the form, the application redirects the victim to the attacker-controlled website, a classic open redirect scenario.
Platform: Umbraco CMS
Version: <13.14.0, 17.0.0-17.3.5
Vulnerability: Open Redirect
Severity: Moderate
Date: May 21, 2026
Prediction: Patch by May 21, 2026
What Undercode Say:
Analytics show open redirect attacks often used for phishing and social engineering. Monitor your Umbraco application logs for suspicious redirects using the following shell command:
grep -E "RedirectUrl=https?://" /var/log/umbraco/UmbracoTraceLog.
How Exploit:
Exploit this vulnerability by luring a victim to a crafted URL that includes a malicious redirect target:
`https://target.com/login?redirectUrl=https://evil.com`
Protection from this CVE
- Immediately upgrade Umbraco CMS to versions 13.14.0 or 17.4.0 or later.
- If unable to upgrade immediately, manually validate all redirect URLs by setting a concrete, trusted URL in your Razor forms.
Impact:
- Phishing Attacks: Redirect users to malicious sites designed to steal credentials.
- Reputation Damage: Trusted domain is abused to host malicious content.
- Security Bypass: Open redirects can be chained with other vulnerabilities to escalate attacks.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

