Platform
dotnet
Component
umbraco.cms
Fixed in
15.3.2
17.0.1
16.5.1
A privilege escalation vulnerability has been identified in Umbraco CMS, affecting versions up to 16.5.0-rc. This flaw allows authenticated backoffice users with permission to manage users to potentially elevate their privileges to Administrator level. The vulnerability stems from insufficient authorization enforcement when modifying user group memberships, and a fix is available in version 16.5.1.
Successful exploitation of CVE-2026-31834 grants an attacker full administrative control over the Umbraco CMS instance. This includes the ability to modify content, users, settings, and potentially compromise the entire system. An attacker could leverage this privilege escalation to install malicious code, steal sensitive data, or disrupt operations. The impact is particularly severe as it requires only an authenticated user, not necessarily a system administrator, to initiate the attack.
CVE-2026-31834 was publicly disclosed on 2026-03-11. The vulnerability's impact is significant due to the ease of privilege escalation once an attacker gains authenticated access. No public proof-of-concept exploits are currently known, but the relatively straightforward nature of the vulnerability suggests that exploits may emerge. Its inclusion in the NVD is pending.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-31834 is to upgrade Umbraco CMS to version 16.5.1 or later. If an immediate upgrade is not feasible, consider implementing stricter user permission controls within Umbraco to limit the scope of potential privilege escalation. Review user group memberships and ensure that only authorized personnel have access to manage user roles. While a WAF cannot directly prevent this vulnerability, it can potentially detect and block suspicious activity associated with privilege escalation attempts. After upgrade, confirm by verifying user permissions and attempting to escalate privileges with a test user account.
Update Umbraco CMS to version 16.5.1 or higher, or to version 17.2.2 or higher, to fix the privilege escalation vulnerability. This will prevent authenticated users with limited permissions from escalating their privileges when modifying user group memberships.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-31834 is a vulnerability in Umbraco.Cms versions up to 16.5.0-rc that allows authenticated users to escalate their privileges to Administrator level due to insufficient authorization checks.
If you are using Umbraco.Cms version 16.5.0-rc or earlier, you are potentially affected by this vulnerability. Upgrade to 16.5.1 to mitigate the risk.
The recommended fix is to upgrade Umbraco.Cms to version 16.5.1 or later. If an immediate upgrade is not possible, implement stricter user permission controls.
Currently, no public proof-of-concept exploits are known, but the vulnerability's nature suggests potential for exploitation.
Refer to the official Umbraco.Cms security advisory for detailed information and updates: [https://our.umbraco.com/security/](https://our.umbraco.com/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your packages.lock.json file and we'll tell you instantly if you're affected.