Launch Week Day 1: Announcing Security Design Review
Start for Free
MEDIUM 5.4 NuGet

Umbraco.Cms: Open Redirect Vulnerability in Surface Controllers

GHSA-2qjj-h6wp-c7h7 · CVE-2026-46616

Published · Modified

Description

Impact

Some of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from user-controlled query parameters vulnerable to malicious redirect attacks.

Patches

The issue is resolved in versions 17.4.0 and 13.14.0.

Workarounds

If users cannot upgrade immediately, they can mitigate the issue in their own site by ensuring every Razor form that posts to UmbLoginStatusController, UmbProfileController or UmbRegisterController passes a concrete, trusted RedirectUrl into Html.BeginUmbracoForm's route values.

For example:

  @using (Html.BeginUmbracoForm<UmbLoginStatusController>(
      "HandleLogout",
      new { RedirectUrl = Model.Url() }))
  {
      <button type="submit">Log out</button>
  }

Resources

https://github.com/umbraco/Umbraco-CMS/pull/22565
https://github.com/umbraco/Umbraco-CMS/pull/22561

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes