Umbraco.Forms has path traversal and file enumeration vulnerability in Linux/Mac
Description
Umbraco Forms is a form builder that integrates with the Umbraco content management system. It's possible for an authenticated backoffice-user to enumerate and traverse paths/files on the systems filesystem and read their contents, on Mac/Linux Umbraco installations using Forms. As Umbraco Cloud runs in a Windows environment, Cloud users aren't affected. This issue affects versions 16 and 17 of Umbraco Forms and is patched in 16.4.1 and 17.1.1. If upgrading is not immediately possible, users can mitigate this vulnerability by configuring a WAF or reverse proxy to block requests containing path traversal sequences (../, ..\) in the fileName parameter of the export endpoint, restricting network access to the Umbraco backoffice to trusted IP ranges, and/or blocking the /umbraco/forms/api/v1/export endpoint entirely if the export feature is not required. However, upgrading to the patched version is strongly recommended.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated backoffice users can exploit a path traversal vulnerability in Umbraco Forms on Linux/Mac to read arbitrary files; patched in 16.4.1 and 17.1.1.
Vulnerability
Overview CVE-2026-24687 is a path traversal vulnerability in Umbraco Forms, a form builder for the Umbraco CMS. The issue resides in the export endpoint (/umbraco/forms/api/v1/export), which does not properly sanitize the fileName parameter, allowing authenticated backoffice users to traverse directories and read arbitrary files on the system filesystem [1][3].
Exploitation
Conditions An attacker must be an authenticated backoffice user with access to the export functionality. By crafting requests containing path traversal sequences (../ or ..\) in the fileName parameter, they can enumerate and read files outside the intended directory. The vulnerability is only exploitable on Mac or Linux installations; Umbraco Cloud runs on Windows and is not affected [1][3].
Impact
Successful exploitation enables an attacker to read sensitive files, such as configuration files or source code, potentially leading to further compromise. The attacker gains unauthorized read access to the file system, which can expose credentials, secrets, or other critical data [1][3].
Mitigation
The vulnerability is patched in Umbraco Forms versions 16.4.1 and 17.1.1. If immediate upgrade is not possible, mitigations include configuring a WAF or reverse proxy to block path traversal sequences in the fileName parameter, restricting network access to the backoffice, or disabling the export endpoint entirely. However, upgrading is strongly recommended [1][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Umbraco.FormsNuGet | >= 16.0.0, < 16.4.1 | 16.4.1 |
Umbraco.FormsNuGet | >= 17.0.0, < 17.1.1 | 17.1.1 |
Affected products
2- Range: >=16, <16.4.1 || >=17, <17.1.1
- umbraco/Umbraco.Forms.Issuesv5Range: >= 16.0.0, < 16.4.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-hm5p-82g6-m3xhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24687ghsaADVISORY
- github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-hm5p-82g6-m3xhghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.