VYPR
High severityNVD Advisory· Published Mar 10, 2026· Updated Mar 11, 2026

Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks

CVE-2026-31834

Description

Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient authorization enforcement when modifying user group memberships. The affected functionality does not properly validate whether a user has sufficient privileges to assign highly privileged roles. This vulnerability is fixed in 16.5.1 and 17.2.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Umbraco.CmsNuGet
>= 15.3.1, < 16.5.116.5.1
Umbraco.CmsNuGet
>= 17.0.0, < 17.2.217.2.2

Affected products

2

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.