VYPR
← All advisories
Medium severity5.4GHSA Advisory· Published May 21, 2026· Updated May 21, 2026

Umbraco.Cms: Open Redirect Vulnerability in Surface Controllers

CVE-2026-46616

Description

Impact

Some of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from user-controlled query parameters vulnerable to malicious redirect attacks.

Patches

The issue is resolved in versions 17.4.0 and 13.14.0.

Workarounds

If users cannot upgrade immediately, they can mitigate the issue in their own site by ensuring every Razor form that posts to UmbLoginStatusController, UmbProfileController or UmbRegisterController passes a concrete, trusted RedirectUrl into Html.BeginUmbracoForm's route values.

For example:

  @using (Html.BeginUmbracoForm(
      "HandleLogout",
      new { RedirectUrl = Model.Url() }))
  {
      Log out
  }

Resources

https://github.com/umbraco/Umbraco-CMS/pull/22565 https://github.com/umbraco/Umbraco-CMS/pull/22561

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Umbraco CMS Surface Controllers for member operations fail to validate redirect URLs, enabling open redirect attacks via user-controlled query parameters.

Vulnerability

The Umbraco CMS Surface Controllers that support member-related operations (UmbLoginStatusController, UmbProfileController, and UmbRegisterController) do not validate the RedirectUrl parameter. Razor templates that derive this parameter from user-controlled query strings are thus vulnerable to open redirect attacks [1][2].

Exploitation

An attacker can craft a malicious link containing a RedirectUrl query parameter pointing to an external site. When a user interacts with the affected form (e.g., logging out), the CMS redirects the user to the attacker-controlled URL. No authentication is required to trigger the redirect [1][3].

Impact

This open redirect vulnerability can be leveraged for phishing attacks, as victims may be redirected to a malicious site that mimics a legitimate one, potentially leading to credential theft or malware installation. The GitHub Advisory rates this as moderate severity [1].

Mitigation

The issue is patched in Umbraco CMS versions 13.14.0 and 17.4.0 [1][3]. If immediate upgrade is not possible, a workaround is to ensure every Razor form that posts to the affected controllers passes a concrete, trusted RedirectUrl via Html.BeginUmbracoForm route values [1][3].

References
  1. CVE-2026-46616 - GitHub Advisory Database
  2. Surface controllers: validate redirect url in public surface controllers (v13) by NguyenThuyLan · Pull Request #22565 · umbraco/Umbraco-CMS
  3. Open Redirect Vulnerability in Surface Controllers

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Umbraco/Umbraco CMSGHSA2 versions
    >= 17.3.0-rc, < 17.4.0+ 1 more
    • (no CPE)range: >= 17.3.0-rc, < 17.4.0
    • (no CPE)range: <13.14.0 || <17.4.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.