Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Umbraco Engage API Endpoints Exposed to Unauthorized Access
CVE-2026-27449
GHSA-86vq-ccwf-rm62
Summary
Umbraco Engage API endpoints allow unauthorized access to sensitive data. An attacker can retrieve data by guessing or enumerating record IDs, potentially exposing analytics, customer information, and other sensitive content. Apply the latest patches (16.2.1 or 17.1.1) to fix this issue.
What to do
- Update umbraco.engage.forms to version 16.2.1.
- Update umbraco.engage.forms to version 17.1.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | umbraco.engage.forms | <= 16.2.1 | 16.2.1 |
| – | umbraco.engage.forms | > 17.0.0 , <= 17.1.1 | 17.1.1 |
Original title
Umbraco.Engage.Forms Allows Unauthorized Access to Multiple API Endpoints
Original description
### Description
A vulnerability has been identified in Umbraco Engage where certain API endpoints are exposed without enforcing authentication or authorization checks. The affected endpoints can be accessed directly over the network without requiring a valid session or user credentials. By supplying a user-controlled identifier parameter (e.g., ?id=), an attacker can retrieve sensitive data associated with arbitrary records.
Because no access control validation is performed, the endpoints are vulnerable to enumeration attacks, allowing attackers to iterate over identifiers and extract data at scale.
### Impact
An unauthenticated attacker can retrieve sensitive Engage-related data by directly querying the affected API endpoints. The vulnerability allows arbitrary record access through predictable or enumerable identifiers.
The confidentiality impact is considered high. No direct integrity or availability impact has been identified.
The scope of exposed data depends on the deployment but may include analytics data, tracking data, customer-related information, or other Engage-managed content.
### Patches
The vulnerability affects both v16 and v17. Patches have already been released. Users are advised to update to 16.2.1 or 17.1.1
A vulnerability has been identified in Umbraco Engage where certain API endpoints are exposed without enforcing authentication or authorization checks. The affected endpoints can be accessed directly over the network without requiring a valid session or user credentials. By supplying a user-controlled identifier parameter (e.g., ?id=), an attacker can retrieve sensitive data associated with arbitrary records.
Because no access control validation is performed, the endpoints are vulnerable to enumeration attacks, allowing attackers to iterate over identifiers and extract data at scale.
### Impact
An unauthenticated attacker can retrieve sensitive Engage-related data by directly querying the affected API endpoints. The vulnerability allows arbitrary record access through predictable or enumerable identifiers.
The confidentiality impact is considered high. No direct integrity or availability impact has been identified.
The scope of exposed data depends on the deployment but may include analytics data, tracking data, customer-related information, or other Engage-managed content.
### Patches
The vulnerability affects both v16 and v17. Patches have already been released. Users are advised to update to 16.2.1 or 17.1.1
nvd CVSS3.1
7.5
Vulnerability type
CWE-284
Improper Access Control
CWE-306
Missing Authentication for Critical Function
CWE-639
Authorization Bypass Through User-Controlled Key
Published: 27 Feb 2026 · Updated: 14 Mar 2026 · First seen: 6 Mar 2026