Client secret not mandatory in UmbracoIdentityExtensions
Description
UmbracoIdentityExtensions is an Umbraco add-on package that enables easy extensibility points for ASP.Net Identity integration. In affected versions client secrets are not required which may expose some endpoints to untrusted actors. Since Umbraco is not a single-page application, the implicit flow is not safe. For traditional MVC applications, it is recommended to use the authorization code flow, which requires the client to authenticate with the authorization server using a client secret. This flow provides better security, as it involves exchanging an authorization code for an access token and/or ID token, rather than directly returning tokens in the URL fragment. This issue has been patched in commit e792429f9 and a release to Nuget is pending. Users are advised to upgrade when possible.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <= 2.0.0
Patches
Vulnerability mechanics
Root cause
"Client secrets are not required for certain endpoints, allowing untrusted actors to exploit the implicit OAuth flow which is unsafe for traditional MVC applications."
Attack vector
Affected versions of UmbracoIdentityExtensions do not require client secrets, which exposes endpoints to untrusted actors. Since Umbraco is not a single-page application, the implicit flow is unsafe and can be exploited. Traditional MVC applications should use the authorization code flow, which requires client authentication with a secret, to prevent tokens from being directly returned in the URL fragment.
Affected code
The vulnerability exists in the `UmbracoADAuthExtensions` class within the `UmbracoIdentityExtensions` package. Specifically, the `ConfigureBackOfficeAzureActiveDirectoryAuth` method is affected.
What the fix does
The patch modifies the `ConfigureBackOfficeAzureActiveDirectoryAuthentication` method to include an optional `clientSecret` parameter. This change enforces the requirement of a client secret for authentication, thereby mitigating the vulnerability associated with the implicit flow and protecting against exposure to untrusted actors. A release to Nuget is pending.
Preconditions
- configThe application must be using UmbracoIdentityExtensions in an affected version.
- inputThe attacker must be able to interact with the application's authentication endpoints.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- docs.umbraco.com/umbraco-cms/reference/security/external-login-providersmitrex_refsource_MISC
- github.com/umbraco/UmbracoIdentityExtensions/commit/e792429f9d1fa25c1ba4f7a61d23ee02fedd6dc9mitrex_refsource_MISC
- github.com/umbraco/UmbracoIdentityExtensions/pull/53mitrex_refsource_MISC
- github.com/umbraco/UmbracoIdentityExtensions/security/advisories/GHSA-f2rf-8mwf-6jfhmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.