CVE-2026-31832

Name of the Vulnerable Software and Affected Versions Umbraco versions 14.0.0 through 16.5.0 Umbraco version 17.2.2

Description Umbraco, an ASP.NET CMS, contains a flaw in a backoffice API endpoint related to object-level authorization. Authenticated users can assign domain-related data to content nodes without sufficient authorization checks. This occurs because of inadequate authorization enforcement on the API endpoint, allowing users to set domains on content nodes they are not permitted to access, either through user group privileges or start nodes. The vulnerable API endpoint allows this unauthorized assignment. The affected parameters or variables are not specified.

Recommendations Update to Umbraco version 16.5.1 or later. Update to Umbraco version 17.2.2.