Umbraco Allows a Restricted Editor User to Delete Media Item or Access Unauthorized Content

GHSA-wx5h-wqfq-v698 · CVE-2025-27602

Published Mar 11, 2025 · Modified Mar 12, 2025

Description

Impact

Via manipulation of backoffice API URLs it's possible for authenticated backoffice users to retrieve or delete content or media held within folders the editor does not have access to.

Patches

Will be patched in 10.8.9 and 13.7.1

Workarounds

None available.

References

WEB https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-wx5h-wqfq-v698
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-27602
WEB https://github.com/umbraco/Umbraco-CMS/commit/5b54bed406682ceff57903bf7d3c57814eef31a7
WEB https://github.com/umbraco/Umbraco-CMS/commit/7888b9a4ce5ae7f9bda7ff3bb705b8fcd2f1675d
PACKAGE https://github.com/umbraco/Umbraco-CMS

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes