Umbraco Engage.Forms Unauthorized API Access Vulnerability (CVE-2026-27449)

Key Vulnerability Information Vulnerability Title: Unauthorized Access to Multiple API Endpoints Vulnerability Type: Unauthorized Access to Multiple API Endpoints Affected Package: Umbraco.Engage.Forms (NuGet) Affected Versions: - - Fixed Versions: - - Severity: High (CVSS v3 base metrics: 7.5/10) CVE ID: CVE-2026-27449 Description: - A vulnerability exists in Umbraco Engage where certain API endpoints are exposed without enforcing authentication or authorization checks. Attackers can directly access these endpoints over the network without requiring a valid session or user credentials. By supplying user-controlled identifier parameters, attackers can retrieve sensitive data associated with arbitrary records. - Due to the lack of access control validation, these endpoints are susceptible to enumeration attacks, allowing attackers to extract data on a large scale by iterating through identifiers. Impact: - Unauthenticated attackers can retrieve sensitive Engage-related data by directly querying the affected API endpoints. The vulnerability allows access to arbitrary records via predictable or enumerable identifiers. - The impact on confidentiality is considered high. No direct impact on integrity or availability has been identified. - The scope of exposed data depends on the deployment but may include analytics data, tracking data, customer-related information, or other content managed by Engage. Patch Information: - The vulnerability affects both v16 and v17 versions; patches have been released. Users are advised to upgrade to or . Temporary Mitigation: - No specific temporary mitigation methods are provided. Inquiry is made regarding whether there are methods to fix or mitigate this vulnerability without upgrading. References: - Inquiry is made regarding whether users can find more detailed information via specific links.

Goal Reached Thanks to every supporter — we hit 100%!

Umbraco Engage.Forms Unauthorized API Access Vulnerability (CVE-2026-27449)

More from this source