CVE-2026-31834

Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient authorization enforcement when modifying user group memberships. The affected functionality does not properly validate whether a user has sufficient privileges to assign highly privileged roles. This vulnerability is fixed in 16.5.1 and 17.2.2.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-rhcg-3h8r-v6vp	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:umbraco:umbraco_cms::::::::
	cpe:2.3:a:umbraco:umbraco_cms::::::::

History

No history.

Information

Published : 2026-03-10 22:16

Updated : 2026-03-18 19:49

NVD link : CVE-2026-31834

Mitre link : CVE-2026-31834

CVE.ORG link : CVE-2026-31834

JSON object : View

Products Affected

umbraco

umbraco_cms

CWE

CWE-269

Improper Privilege Management

CWE-284

Improper Access Control

CWE-862

Missing Authorization

{"id": "CVE-2026-31834", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2026-03-10T22:16:21.567", "references": [{"url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-rhcg-3h8r-v6vp", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-269"}, {"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient authorization enforcement when modifying user group memberships. The affected functionality does not properly validate whether a user has sufficient privileges to assign highly privileged roles. This vulnerability is fixed in 16.5.1 and 17.2.2."}, {"lang": "es", "value": "Umbraco es un CMS de ASP.NET. Desde 15.3.1 hasta antes de 16.5.1 y 17.2.2, ha sido identificada una vulnerabilidad de escalada de privilegios en Umbraco CMS. Bajo ciertas condiciones, los usuarios autenticados del backoffice con permiso para gestionar usuarios, podr\u00edan elevar sus privilegios debido a una aplicaci\u00f3n insuficiente de la autorizaci\u00f3n al modificar las membres\u00edas de grupos de usuarios. La funcionalidad afectada no valida correctamente si un usuario tiene privilegios suficientes para asignar roles altamente privilegiados. Esta vulnerabilidad est\u00e1 corregida en 16.5.1 y 17.2.2."}], "lastModified": "2026-03-18T19:49:17.780", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:umbraco:umbraco_cms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3FA45ECC-C70C-4D28-8989-0784AD7311CF", "versionEndExcluding": "16.5.1", "versionStartIncluding": "15.3.1"}, {"criteria": "cpe:2.3:a:umbraco:umbraco_cms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7C8D4B05-B561-4CDB-8B2A-BD734F9E9A74", "versionEndExcluding": "17.2.2", "versionStartIncluding": "17.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}