Security advisory: Security patch for Umbraco CMS ready on September 6 at 08 AM UTC

This is a heads-up so you can prepare for action

Bjarke Mikkelsen Berg
Written by Bjarke Berg

We have identified a medium-severity security issue in Umbraco CMS. This vulnerability could lead to unauthorized access to the backoffice in specific circumstances. We have a patch ready to address the issue which will be released on Tuesday, September 6, 2022, at 08 AM UTC. The security issue is not publicly known. This blog post is a heads-up as we advise you to be ready to apply this patch release. No action is required for Umbraco Cloud sites as they are not affected.

Update 2022-09-06: Patches have now been released for Umbraco 9 and 10. Please refer to the Security Advisory for September 6, 2022 blog post for more details.

Who’s affected?

Versions affected: Umbraco 9.0.0-9.5.3 and 10.0.0-10.1.0

How do I prepare?

Because we are looking at a patch upgrade, we expect the fix to be rather straightforward and to only require minimal time per project. 

As this is a security patch, we highly advise you to put aside resources to get this fixed. This is also why we give you this information before we release the patch publicly. 

Note that the patches will be made available for the latest minor versions and also included in the Umbraco 10.2 release scheduled for next week. Upgrading to the latest available minor version can be done prior to the patch release and means you are optimally prepared.

How to upgrade on September 6?

If you’re using Umbraco versions 9.5 or 10.1 then you’ll be able to upgrade to a new patch version of these releases the way you would normally upgrade. 

How do you check which version you are on? Reach out with this blog post to your technical contact for your Umbraco site and they will be able to take care of the necessary precautions.

Where do I find the necessary information on September 6?

On September 6 at 08 AM UTC, (find the time in your timezone here) a post will be released here on the Umbraco blog with a detailed description on how to fix this security issue.

The blog post will contain a link to the fixed issue on Github. We will monitor and answer any technical questions you might have related to this. 

What about sites on Umbraco Cloud?

Umbraco Cloud sites are not affected by this issue.

Severity details:

Due to the severity of this issue we have chosen not to disclose any further details yet. This is to prevent any exploitation of the vulnerability before the patch is released. Currently, we have no indication that this vulnerability is being exploited in the wild.

The next update on this issue will be published on the Umbraco blog on September 6 at 08 AM UTC.

More Information

If you have any questions or comments about this advisory, make sure to get in touch with us through our dedicated security email address as listed on https://umbraco.com/security. Here you can also find information on how we handle security related issues.

If you want to get notified about security heads-ups and advisories directly, sign up for the Umbraco Security mailing list.

 

Loved by developers, used by thousands around the world!

One of the biggest benefits of using Umbraco is that we have the friendliest Open Source community on this planet. A community that's incredibly pro-active, extremely talented and helpful.

If you get an idea for something you would like to build in Umbraco, chances are that someone has already built it. And if you have a question, are looking for documentation or need friendly advice, go ahead and ask the Umbraco community on Our.

Want to be updated on everything Umbraco?

Sign up for the Umbraco newsletter and get the latest news and special offers sent directly to your inbox