Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.2
Umbraco: Hackers Can Become Admin by Misusing User Permissions
CVE-2026-31834
GHSA-rhcg-3h8r-v6vp
Summary
Some Umbraco website administrators may be able to grant themselves full control of the site by manipulating user permissions. This is a serious security risk, especially for sites with sensitive content or user data. To fix this, update to version 16.5.1 or 17.2.2.
What to do
- Update umbraco.cms to version 16.5.1.
- Update umbraco.cms to version 17.2.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | umbraco.cms | > 15.3.1 , <= 16.5.1 | 16.5.1 |
| – | umbraco.cms | > 17.0.0 , <= 17.2.2 | 17.2.2 |
Original title
Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks
Original description
### Description
A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient authorization enforcement when modifying user group memberships.
The affected functionality does not properly validate whether a user has sufficient privileges to assign highly privileged roles.
### Impact
An authenticated backoffice user may be able to escalate their privileges to Administrator level.
Successful exploitation results in full administrative control of the affected Umbraco CMS instance, including unrestricted access to content, user management, and configuration settings.
The impact is significantly mitigated by the fact that this can only be exploited by a user that has already been given access to the "Users" section in the CMS. For most Umbraco setups, such users are already also "Administrators".
### Patches
The issue is patched in 16.5.1 and 17.2.2.
### Workarounds
There is no workaround other than upgrading for setups where they want to have users with permission for the "Users" section without also being content with those users also being part of the "Administrators" user group.
A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient authorization enforcement when modifying user group memberships.
The affected functionality does not properly validate whether a user has sufficient privileges to assign highly privileged roles.
### Impact
An authenticated backoffice user may be able to escalate their privileges to Administrator level.
Successful exploitation results in full administrative control of the affected Umbraco CMS instance, including unrestricted access to content, user management, and configuration settings.
The impact is significantly mitigated by the fact that this can only be exploited by a user that has already been given access to the "Users" section in the CMS. For most Umbraco setups, such users are already also "Administrators".
### Patches
The issue is patched in 16.5.1 and 17.2.2.
### Workarounds
There is no workaround other than upgrading for setups where they want to have users with permission for the "Users" section without also being content with those users also being part of the "Administrators" user group.
nvd CVSS3.1
7.2
Vulnerability type
CWE-269
Improper Privilege Management
CWE-284
Improper Access Control
CWE-862
Missing Authorization
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026