CVE-2026-27449: Unauthenticated Data Exposure via Broken Access Control in Umbraco Engage
Source: Dev.to
Overview
Vulnerability ID: CVE-2026-27449
CVSS v3.1: 7.5 (High)
Published: 2026-02-27
A critical access‑control failure has been identified in Umbraco Engage (formerly uMarketingSuite), specifically affecting the Forms component. The flaw stems from missing authentication and authorization checks on sensitive API endpoints, allowing unauthenticated remote attackers to query proprietary marketing data and form submissions.
By manipulating ID parameters, attackers can perform Insecure Direct Object Reference (IDOR) attacks, enumerating records and leaking business‑intelligence data as well as potentially personally identifiable information (PII).
Technical Details
- Attack Vector: Network
- Privileges Required: None
- Impact: Confidentiality (High)
The vulnerability permits unauthenticated requests to internal Umbraco Engage API endpoints such as /umbraco/.... Successful exploitation results in:
- Retrieval of form definitions and submissions.
- Access to analytics data tied to marketing campaigns.
- Potential exposure of PII stored within form fields.
Affected Versions
| Component | Affected Versions | Fixed In |
|---|---|---|
Umbraco.Engage.Forms | = 17.0.0, < 17.1.1 | 17.1.1 |
If your environment runs any version prior to the fixed releases, it is vulnerable.
Remediation Steps
- Identify the current version of
Umbraco.Engage.Forms(oruMarketingSuite) in use. - Update the NuGet package:
- For 16.x → upgrade to 16.2.1.
- For 17.x → upgrade to 17.1.1.
- Rebuild and redeploy the application to production.
- Verify the fix by attempting to access the Engage API endpoints without an active session; the server should now return 401 Unauthorized or a 302 Redirect to the login page.
- Additional hardening (recommended):
- Implement Web Application Firewall (WAF) rules to restrict access to
/umbraco/API paths. - Restrict network access to back‑office APIs via VPN or IP allow‑listing.
- Implement Web Application Firewall (WAF) rules to restrict access to
References
- GitHub Security Advisory: GHSA-86vq-ccwf-rm62
- NVD entry: CVE‑2026‑27449 Details
- Umbraco Engage API Documentation: Umbraco Engage Docs