MEDIUM 5.3 NuGet
Umbraco Makes User Enumeration Feasible Based on Timing of Login Response
GHSA-4g8m-5mj5-c8xg · CVE-2025-46736
Published · Modified
Description
Impact
Based on an analysis of the timing of post login API responses, it's possible to determine whether an account exists.
Patches
Patched in 10.8.10 and 13.8.1.
Workarounds
None available.
References
- WEB https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-4g8m-5mj5-c8xg
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-46736
- WEB https://github.com/umbraco/Umbraco-CMS/commit/14fbd20665b453cbf094ccf4575b79a9fba07e03
- WEB https://github.com/umbraco/Umbraco-CMS/commit/34709be6cce9752dfa767dffbf551305f48839bc
- PACKAGE https://github.com/umbraco/Umbraco-CMS
Ready to move
Start Securing
Free, no credit card | First findings in minutes