White Paper

How to choose the right CMS for your organization?

Get access today! →
Book a discovery call
Book a discovery call

Security Advisory, March 11 , 2025 - Patches for Umbraco CMS are now available

We recommend you upgrade to the latest patch

Andy Butland
Written by Andy Butland

Summary: We have identified two unrelated security vulnerabilities in Umbraco CMS. These vulnerabilities allow backoffice authenticated users to access functionality and content beyond what their permissions should allow. Today, we have released patches for all affected versions and recommend upgrading to the latest patch. Projects hosted on Umbraco Cloud will receive the fix automatically.

We have also received notice of a patch release to an Umbraco dependency, ImageSharp, to resolve a high-severity issue - this is included in all the patches listed below. 

Who’s affected?

  • Umbraco 10.0.0 - 10.8.8 and 13.0.0 - 13.7.0
    • Umbraco 10 and 13 are affected by 1 moderate-severity issue.
    • Umbraco 10 and 13 are affected by 1 high-severity issue to an Umbraco dependency.
  • Umbraco 14.0.0 - 14.3.2 and Umbraco 15.0.0 - 15.2.2
    • Umbraco 14 and 15 are affected by 1 moderate-severity issues.
    • Umbraco 14 and 15 are affected by 1 high-severity issue to an Umbraco dependency.

How to fix the vulnerability

Patches are available for the latest minor on each supported major version. Sites will need to update to the latest minor version before the patch can be applied. As we are looking at a patch upgrade, and the fix is straightforward, we expect the patch upgrade to only require minimal effort per project.

Instructions on patch availability and how to upgrade can be found in the release notes:

Automatic fix on Umbraco Cloud

All Umbraco Cloud sites running the latest minor version of a supported version are patched via the automated patch feature. The security patches will be rolled out to Umbraco Cloud today to ensure all sites have been fixed.

If a project is not running the latest minor version (10.8.x, 13.7.x, 14.3.x, 15.2.x), the patch can be applied using the minor upgrade feature.

Screenshot form the Umbraco Cloud Portal showing the option to turn on Automatic Minor Upgrades

Note that Umbraco Cloud also supports automated minor upgrades. This can be enabled on a per-project level and ensures you're always ready to receive the latest patch.

Note that Umbraco Cloud also supports automated minor upgrades. This can be enabled on a per-project level and ensures you're always ready to receive the latest patch.

What we know about the vulnerability

For more details, please refer to the security advisories:

There are no indications that the vulnerabilities were discovered or exploited prior to the report. Further details will be published on the Security Advisories at a later date.

Impact

The vulnerabilities all require authenticated access to the backoffice, including the high-severity dependency vulnerability, meaning an attacker must first log in to the backoffice to exploit them. This contributes to an overall moderate-severity rating. Nevertheless, we recommend updating to the latest patched version to ensure optimal security.

Credit

We would like to thank Pasi Keski-Korsu from Prove Expertise Oy and Ahmed Hazem from Cyshield for the responsible disclosure of the issues they discovered.

We'd also like to thank Anna Bastron from the Security & Privacy Community Team for her assistance in reviewing proposed solutions and verifying the issue resolution..

Any questions?

If you have any questions or comments about this advisory, make sure to get in touch with us directly on the Security Advisories. Alternatively, you can reach out to the dedicated security email address listed at https://umbraco.com/security. Here, you can also find information on how we handle security-related issues.

For direct communication related to security in Umbraco products, please sign up for the dedicated security mailing list.