Umbraco CMS disclosure of configured password requirements

GHSA-pgvc-6h2p-q4f6 · CVE-2025-49147

Published Jun 24, 2025 · Modified Jun 28, 2025

Description

Impact

Via a request to an anonymously authenticated endpoint it's possible to retrieve information about the configured password requirements. The information available is limited but would perhaps give some additional detail useful for someone attempting to brute force derive a user's password.

The vulnerability can be found in the supported Umbraco versions 10 and 13. It was not exposed in Umbraco 7 or 8, nor in 14 or higher versions.

Patches

Patched in 10.8.11 and 13.9.2

References

WEB https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-pgvc-6h2p-q4f6
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-49147
WEB https://github.com/umbraco/Umbraco-CMS/commit/b4144564c836ec6929111ce2a12eb1f67b42d61e
WEB https://github.com/umbraco/Umbraco-CMS/commit/d8f68d2c40f8e158bd81d469f25ef3a4e1d86c4c
PACKAGE https://github.com/umbraco/Umbraco-CMS

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes