Umbraco, Privilege Escalation, CVE-2026-31834 (High)

Listen to this Post

This vulnerability is a vertical privilege escalation flaw in Umbraco CMS. It occurs because the application fails to properly enforce authorization checks when an authenticated backoffice user, who already has permission to manage users, attempts to modify user group memberships . The specific function that handles group assignments does not validate whether the current user has the necessary privileges to add a user to a highly privileged group, such as the “Administrators” group . By manipulating a web request to this function, an attacker with basic user management rights can add themselves or another user to the Administrator group, thereby gaining full control over the CMS instance . This bypass of authorization checks at the function level allows for the privilege escalation . The issue is present in versions from 15.3.1 up to, but not including, 16.5.1, and in versions 17.0.0 through 17.2.1 . It was patched in versions 16.5.1 and 17.2.2 by implementing correct authorization checks .
Platform: Umbraco CMS
Version: 15.3.1-16.5.0, 17.0.0-17.2.1
Vulnerability : Privilege Escalation
Severity: High (CVSS:7.2)
date: March 9, 2026

Prediction: Already patched (16.5.1/17.2.2)

What Undercode Say:

Analytics

The vulnerability stems from missing authorization checks in the user group modification function . It requires the attacker to be an authenticated backoffice user with access to the “Users” section . The flaw is classified under CWE-269 (Improper Privilege Management) and CWE-862 (Missing Authorization) . Successful exploitation grants an attacker full administrative privileges, impacting all aspects of the CMS .

How Exploit:

An attacker with basic user management rights could exploit this by intercepting the HTTP request when modifying a user’s groups. The request to the vulnerable API endpoint would be manipulated to include the ID or alias of the Administrator group. Because the server-side code fails to check if the current user has the right to assign such a high-privilege group, the request succeeds, adding the target user to the Administrators group.

Bash Command Simulation (Conceptual – Illustrates the flaw):

This is a conceptual example of the manipulated request
The attacker, with a session cookie, adds a user to the 'admin' group
Vulnerable endpoint does not verify if the attacker can assign 'admin' group.
curl -X POST \
'https://victim-umbraco.com/umbraco/backoffice/api/users/PostSaveUserGroups' \
-H 'Authorization: Bearer ATTACKER_SESSION_TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"userId": "target-user-id",
"groups": ["editor", "admin"] // The unauthorized 'admin' group addition
}'

Protection from this CVE:

  1. Immediate Upgrade: Update Umbraco CMS to version 16.5.1 or 17.2.2, or later .
  2. .NET CLI Command: `dotnet add package Umbraco.Cms –version 17.2.2`

3. NuGet Package Manager: `Update-Package Umbraco.Cms -Version 17.2.2`

  1. Authorization Implementation: Developers should ensure all sensitive backoffice API controllers and actions use the `[bash]` attribute with policies that check for specific user group permissions, as outlined in Umbraco’s documentation . For example, `[Authorize(Policy = “AdminPolicy”)]` where the policy requires membership in the Administrator group.
  2. User Management Review: Audit users with access to the “Users” section to ensure they are trusted, as exploitation requires this access .

Impact

Full System Compromise: An attacker gains complete administrative control over the Umbraco CMS instance .
Data Breach: Unrestricted access to all content, member data, and configuration settings .
Site Defacement: Ability to modify or delete any content on the website.
Further Attacks: The compromised CMS can be used as a platform for attacks on internal networks or site visitors.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top