Umbraco.AI Security Advisory, June 4, 2026

Security patch for Umbraco.AI core package, versions 1.0.0 through 1.13.x

Written by Matt Brailsford

A moderate-severity vulnerability has been found and fixed in the Umbraco.AI package. Today, we have released a patch for the affected versions and recommend updating at your earliest convenience. Please note that the update contains a breaking change, and that projects hosted on Umbraco Cloud need to update manually, as this is a vulnerability in an add-on package rather than the CMS.

We have released a security patch for the Umbraco.AI package. We recommend that all users running an affected version update at their earliest convenience. As always, we take security seriously and want to give you the information you need to assess the impact on your installation and to update with confidence.

Who's affected?

The issue affects the Umbraco.AI core package, versions 1.0.0 through 1.13.x (all releases prior to the patch). Provider and add-on packages (OpenAI, Anthropic, Agent, Prompt, Search, Deploy, and others) are affected only by way of their dependency on Umbraco.AI Core — updating Umbraco.AI Core resolves the issue for all of them.

Solution

To resolve this issue, a security patch has been released on NuGet. Update the Umbraco.AI package to 1.14.0 or later.

Note — this update contains a breaking change.

Configuration references in connection and context settings (the $Key:Path syntax) are now resolved on a strict allow-list. After updating, references only resolve when the key sits under one of the allowed sections — by default Umbraco:AI:Secrets (for sensitive values such as API keys) and Umbraco:AI:Variables (for non-sensitive per-environment values).

If you currently reference configuration from other sections — for example $OpenAI:ApiKey — you must either:

Move the value under an allowed section, e.g. store it as Umbraco:AI:Secrets:OpenAIApiKey and reference $Umbraco:AI:Secrets:OpenAIApiKey; or
Opt the section back in by adding its prefix to Umbraco:AI:AllowedConfigurationKeyPrefixes in appsettings.json:

Secret references (keys under Umbraco:AI:Secrets) may only be used in fields marked as sensitive, such as the API Key field. This setting lives in app configuration by design and is not editable from the backoffice.

See the release notes for 1.14.0 for the full list of changes.

What we know about the vulnerability

Restricted configuration reference resolution in editable model settings

Umbraco.AI connection and context settings can resolve certain values from the application's configuration at runtime, so that credentials and per-environment values can be kept in configuration rather than in the database.

In affected versions, this resolution was not sufficiently scoped to AI-related configuration. As a result, a backoffice user with access to the AI section — a privileged position, but one that can be delegated to non-administrator user groups — could read application configuration values they would not otherwise be entitled to. This is an information-disclosure issue across a trust boundary, affecting confidentiality only.

The vulnerability requires an authenticated, AI-section–privileged user. There is no unauthenticated vector, and no impact to integrity or availability.

The patch makes configuration reference resolution default-deny: a reference only resolves when its key falls under an allow-listed prefix, and references to secret sections are additionally confined to sensitive fields. The allow-list is configured in application settings, so only someone who already has access to the configuration decides which sections may be referenced.

Full details are available in the published GitHub Security Advisory.

Any questions?

If you have any questions about this advisory, please reach out to the Umbraco security team at security@umbraco.com.

To be notified of future security advisories, sign up for the Umbraco security mailing list.