CVE-2026-46616

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Impact

Some of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from user-controlled query parameters vulnerable to malicious redirect attacks.

Patches

The issue is resolved in versions 17.4.0 and 13.14.0.

Workarounds

If users cannot upgrade immediately, they can mitigate the issue in their own site by ensuring every Razor form that posts to UmbLoginStatusController, UmbProfileController or UmbRegisterController passes a concrete, trusted RedirectUrl into Html.BeginUmbracoForm's route values.

For example:

 @using (Html.BeginUmbracoForm<UmbLoginStatusController>(
   "HandleLogout",
   new { RedirectUrl = Model.Url() }))
 {
   <button type="submit">Log out</button>
 }

Resources

https://github.com/umbraco/Umbraco-CMS/pull/22565 https://github.com/umbraco/Umbraco-CMS/pull/22561

Fix

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-601

Related Identifiers

CVE-2026-46616

GHSA-2QJJ-H6WP-C7H7

Affected Products

Umbraco Cms

CVE-2026-46616

Impact

Patches

Workarounds

Resources

Weakness Enumeration

Related Identifiers

Affected Products

References · 5