Webinar

From Running Projects to Growing Portfolios

Register Now →

Security Advisory, July 7, 2026: Security Patches are now available

Andy Butland
Written by Andy Butland

Summary: A vulnerability classified as high has been found and fixed in Umbraco 13, 17, and 18. For all versions, only the delivery API functionality is affected. Today, we have released patches for the affected versions and recommend upgrading. Projects hosted on Umbraco Cloud will receive the fix automatically.

Who’s affected?

Versions affected:

  • Umbraco 13.0.0 - 13.15.0

  • Umbraco 17.0.0 - 17.5.2

  • Umbraco 18.0.0 - 18.0.1

Unsupported versions can be subject to the vulnerability, but will not receive a patch. We recommend upgrading to a supported major version if you are using the affected features.

For 13.15.1, we have also bumped the dependency of MessagePack to a newer patch version, to move off a version that is marked as vulnerable.

How to fix the vulnerability

A patch is available for the latest minor versions of Umbraco 13, 17 and 18. As we are looking at a patch upgrade, and the fix is straightforward, we expect the update to only require minimal effort per project.

Instructions on patch availability and how to upgrade can be found in the release notes for Umbraco 13.15.1, Umbraco 17.5.3 and Umbraco 18.0.2.

Automatic fix on Umbraco Cloud

All Umbraco Cloud sites running the latest minor version of a supported version are patched via the automated patch feature. The security patches will be rolled out to Umbraco Cloud today to ensure all sites have been fixed.

If a project is not running the latest minor version (13.15.x, 17.5.x, 18.0.x), the patch can be applied using the minor upgrade feature.

ℹ️ Note that Umbraco Cloud also supports automated minor upgrades. This can be enabled on a per-project level and ensures you're always ready to receive the latest patch.
ℹ️ Note that Umbraco Cloud also supports automated minor upgrades. This can be enabled on a per-project level and ensures you're always ready to receive the latest patch.

What we know about the vulnerability

The vulnerability impacts the delivery API and allows the retrieval of protected content by unauthorized users when that content is picked on an unprotected document and included in the output via output expansion.  Via a similar mechanism, it also allows retrieval of referenced content items that are restricted by type via configuration.

You can read more in the published security advisory.

Credit

We'd like to thank Ardya Suryadinata for reporting the issues and for responsible disclosure of details regarding the vulnerability.

Any questions?

If you have any questions or comments about this advisory, make sure to get in touch with us directly on the Security Advisories. Alternatively, you can reach out to the dedicated security email address listed at https://umbraco.com/security. Here you can also find information on how we handle security-related issues.

For direct communication related to security in Umbraco products, please sign up for the dedicated security mailing list.