Moderate severityNVD Advisory· Published Mar 11, 2025· Updated Mar 11, 2025
Umbraco Allows Improper API Access Control to Low-Privilege Users to Data Type Functionality
CVE-2025-27601
Description
Umbraco is a free and open source .NET content management system. An improper API access control issue has been identified Umbraco's API management package prior to versions 15.2.3 and 14.3.3, allowing low-privilege, authenticated users to create and update data type information that should be restricted to users with access to the settings section. The issue is patched in versions 15.2.3 and 14.3.3. No known workarounds are available.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Umbraco.Cms.Api.ManagementNuGet | >= 15.0.0-rc1, < 15.2.3 | 15.2.3 |
Umbraco.Cms.Api.ManagementNuGet | < 14.3.3 | 14.3.3 |
Affected products
2- Range: >= 15.0.0-rc1, < 15.2.3
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-6ffg-mjg7-585xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-27601ghsaADVISORY
- github.com/umbraco/Umbraco-CMS/commit/d9fb6df16e9adf8656181cac8497fc5ba23321cdghsax_refsource_MISCWEB
- github.com/umbraco/Umbraco-CMS/commit/ebb6a580dc1da2c772a99838dc7b4660bf77eb9cghsax_refsource_MISCWEB
- github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-6ffg-mjg7-585xghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.