MEDIUM 5.4

CVE-2026-46616: Umbraco CMS Open Redirect in Member Surface Controllers

Umbraco CMS contains an open-redirect vulnerability in member-related Surface Controllers that fail to properly validate redirect URLs. When a Razor template uses user-controlled query parameters to set a redirect destination, an attacker can craft a malicious link that redirects users to an external site after they interact with the application. This undermines user trust and can be leveraged in phishing campaigns. Versions 13.14.0 and 17.4.0 and later address this issue.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Weaknesses (CWE)
CWE-601
Affected products
1 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

Umbraco is an ASP.NET CMS. Prior to versions 13.14.0 and 17.4.0, some of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from user-controlled query parameters vulnerable to malicious redirect attacks. This issue has been patched in versions 13.14.0 and 17.4.0.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in Umbraco's Surface Controllers that handle member operations. These controllers accept redirect URLs derived from user-controlled query parameters without sufficient validation. CWE-601 (URL Redirection to Untrusted Site) occurs when the application constructs a redirect response using unsanitized input, allowing attackers to direct users to arbitrary external destinations. The Razor template layer propagates this risk by directly consuming query parameters into redirect logic without canonicalization or allowlist enforcement.

Business impact

Open-redirect vulnerabilities erode user confidence in your application and create vectors for credential harvesting. Attackers can weaponize these redirects in social engineering attacks, directing users from legitimate Umbraco-hosted pages to convincing phishing sites. Organizations running member-facing Umbraco instances may see increased support burden and reputational damage if users are redirected to malicious sites. The medium CVSS score reflects the requirement for user interaction but the realistic attack surface of CMS-hosted member portals.

Affected systems

Umbraco CMS versions prior to 13.14.0 and 17.4.0 are affected. The vulnerability is specific to Surface Controllers supporting member operations, meaning Umbraco instances that do not expose member functionality or that use alternative authentication mechanisms may have lower practical risk. Installations using versions 13.14.0, 17.4.0, or later are not vulnerable.

Exploitability

Exploitation requires user interaction: an attacker must trick a user into clicking a crafted link containing a malicious redirect parameter. No authentication is required to construct or send such a link. The barrier to exploitation is low—only basic URL manipulation knowledge. However, successful attacks depend on social engineering and are not remotely exploitable without user participation. The vulnerability does not permit code execution or unauthorized data access on its own.

Remediation

Upgrade Umbraco to version 13.14.0 (for the 13.x branch) or 17.4.0 (for the 17.x branch) or any later version. If immediate patching is not possible, implement a Web Application Firewall (WAF) rule to detect and block redirect parameters pointing to external domains, or enforce Content Security Policy (CSP) headers to restrict framing and navigation. Additionally, conduct a code review of any custom Surface Controllers that handle redirects to ensure they validate URLs against an allowlist of trusted domains.

Patch guidance

Umbraco has released patched versions 13.14.0 and 17.4.0 that validate redirect URLs in affected Surface Controllers. Review your Umbraco version using the Umbraco backend dashboard or package.config. Schedule a maintenance window and upgrade via NuGet or the Umbraco package management interface. Test member login flows and any custom member-related Surface Controllers after patching to ensure functionality is preserved. If you are on version 12 or earlier, consult the Umbraco support matrix to determine the recommended upgrade path.

Detection guidance

Monitor application logs and WAF logs for unusual redirect parameters in member-related endpoints. Look for query strings containing external domain names (e.g., http://, https://, or // prefixes in redirect parameters). Inspect HTTP responses for Location headers that point to non-whitelisted domains. Implement alerting on redirect parameters that do not match expected internal paths. Consider URL decoding captured parameters to detect obfuscated redirects. Review referrer logs to identify if users are being diverted to phishing sites or other malicious destinations.

Why prioritize this

This vulnerability should be prioritized based on your Umbraco deployment model. If you operate a public-facing member portal or community site, the social engineering risk is material and warrants prompt patching. The medium CVSS score and lack of KEV designation suggest this is not an active widespread threat, but the ease of exploitation and applicability to common CMS use cases justify timely remediation. Organizations with internet-exposed Umbraco instances should patch within 30 days; internal or lower-traffic instances can follow a standard maintenance cycle.

Risk score, explained

CVSS 5.4 MEDIUM reflects a network-accessible vulnerability with low attack complexity and no privilege requirements, but mitigated by the requirement for user interaction and limited scope (confidentiality and integrity impact only; no availability impact). The score appropriately captures that attackers can redirect users to phishing sites or malicious content, but cannot directly compromise the Umbraco server or extract sensitive data server-side without additional attack stages.

Frequently asked questions

Can this vulnerability be exploited without user interaction?

No. An attacker must craft a malicious link and trick a user into clicking it. The vulnerability does not permit remote exploitation or automated attacks. However, this remains a realistic attack vector in phishing and social engineering campaigns.

Does upgrading to 13.14.0 or 17.4.0 require configuration changes?

No. The patched versions transparently add URL validation to the affected Surface Controllers. Member login and redirect flows should work unchanged. Test in a staging environment first to confirm, but no manual configuration is expected.

Are all Umbraco features affected or only member operations?

Only Surface Controllers that handle member-related operations are affected. Content management, publishing, and admin functions are not vulnerable. If you do not expose member functionality (e.g., no member login portal), your risk is lower, but you should still patch to close the attack surface for future development.

What is the difference between versions 13 and 17?

Umbraco follows semantic versioning where major versions represent significant feature or architecture changes. Version 13 and 17 are both supported tracks; you should upgrade within your current major version track (13.x to 13.14.0 or 17.x to 17.4.0 or later) unless you have a business reason to migrate to a newer major version.

This analysis is provided for informational purposes and reflects publicly available CVE data as of the publication date. Patch version numbers and affected product ranges should be verified against official Umbraco security advisories and release notes. Organizations should conduct internal testing before deploying patches in production. SEC.co does not provide legal or compliance advice; consult your security and compliance teams to determine applicability to your environment. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).