CVE-2026-31834

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-31834
Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient authorization enforcement when modifying user group memberships. The affected functionality does not properly validate whether a user has sufficient privileges to assign highly privileged roles. This vulnerability is fixed in 16.5.1 and 17.2.2.

7.2 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-rhcg-3h8r-v6vp Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:umbraco:umbraco_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:umbraco:umbraco_cms:*:*:*:*:*:*:*:*
History

18 Mar 2026, 19:49

Type Values Removed Values Added
CPE cpe:2.3:a:umbraco:umbraco_cms:*:*:*:*:*:*:*:*
First Time Umbraco
Umbraco umbraco Cms
References () https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-rhcg-3h8r-v6vp - () https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-rhcg-3h8r-v6vp - Vendor Advisory

11 Mar 2026, 13:52

Type Values Removed Values Added
Summary
  • (es) Umbraco es un CMS de ASP.NET. Desde 15.3.1 hasta antes de 16.5.1 y 17.2.2, ha sido identificada una vulnerabilidad de escalada de privilegios en Umbraco CMS. Bajo ciertas condiciones, los usuarios autenticados del backoffice con permiso para gestionar usuarios, podrían elevar sus privilegios debido a una aplicación insuficiente de la autorización al modificar las membresías de grupos de usuarios. La funcionalidad afectada no valida correctamente si un usuario tiene privilegios suficientes para asignar roles altamente privilegiados. Esta vulnerabilidad está corregida en 16.5.1 y 17.2.2.

10 Mar 2026, 22:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-10 22:16

Updated : 2026-03-18 19:49

NVD link : CVE-2026-31834

Mitre link : CVE-2026-31834

CVE.ORG link : CVE-2026-31834

JSON object : View

Products Affected

umbraco

  • umbraco_cms
CWE
CWE-269

Improper Privilege Management

CWE-284

Improper Access Control

CWE-862

Missing Authorization