GHSA-2QJJ-H6WP-C7H7

Vulnerability from github – Published: 2026-05-21 19:58 – Updated: 2026-06-10 18:41
VLAI
Summary
Umbraco.Cms: Open Redirect Vulnerability in Surface Controllers
Details

Impact

Some of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from user-controlled query parameters vulnerable to malicious redirect attacks.

Patches

The issue is resolved in versions 17.4.0 and 13.14.0.

Workarounds

If users cannot upgrade immediately, they can mitigate the issue in their own site by ensuring every Razor form that posts to UmbLoginStatusController, UmbProfileController or UmbRegisterController passes a concrete, trusted RedirectUrl into Html.BeginUmbracoForm's route values.

For example:

  @using (Html.BeginUmbracoForm<UmbLoginStatusController>(
      "HandleLogout",
      new { RedirectUrl = Model.Url() }))
  {
      <button type="submit">Log out</button>
  }

Resources

https://github.com/umbraco/Umbraco-CMS/pull/22565 https://github.com/umbraco/Umbraco-CMS/pull/22561

Severity
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.Cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "13.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.Cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "17.3.0-rc"
            },
            {
              "fixed": "17.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46616"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-21T19:58:06Z",
    "nvd_published_at": "2026-06-10T17:16:37Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nSome of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive \u0027RedirectUrl\u0027 from user-controlled query parameters vulnerable to malicious redirect attacks.\n\n### Patches\nThe issue is resolved in versions 17.4.0 and 13.14.0.\n\n### Workarounds\nIf users cannot upgrade immediately, they can mitigate the issue in their own site by ensuring every Razor form that posts to `UmbLoginStatusController`, `UmbProfileController` or `UmbRegisterController` passes a concrete, trusted `RedirectUrl` into `Html.BeginUmbracoForm\u0027s` route values. \n\nFor example:\n\n```cshtml\n  @using (Html.BeginUmbracoForm\u003cUmbLoginStatusController\u003e(\n      \"HandleLogout\",\n      new { RedirectUrl = Model.Url() }))\n  {\n      \u003cbutton type=\"submit\"\u003eLog out\u003c/button\u003e\n  }\n```\n\n### Resources\n\nhttps://github.com/umbraco/Umbraco-CMS/pull/22565\nhttps://github.com/umbraco/Umbraco-CMS/pull/22561",
  "id": "GHSA-2qjj-h6wp-c7h7",
  "modified": "2026-06-10T18:41:24Z",
  "published": "2026-05-21T19:58:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-2qjj-h6wp-c7h7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46616"
    },
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco-CMS/pull/22561"
    },
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco-CMS/pull/22565"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/umbraco/Umbraco-CMS"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Umbraco.Cms: Open Redirect Vulnerability in Surface Controllers"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.