Umbraco Logo Lines

Security patch ready on March 17th at 7 AM UTC

This is a heads-up so you can prepare for action

Rune 1 (2)
Written by Rune Strand

A newly found, but not publicly known, security issue could lead to disclosure of private information in Umbraco. We have a fix ready, which we will release on March 17th at 7 AM UTC. This blog post is a heads-up as we highly advise you to be ready to apply this patch release or the workaround patch. No action is required for Umbraco Cloud sites as they will be fixed automatically on March 17th.

Who is affected?

All versions of Umbraco from 4.11.9 and up are affected by this vulnerability.   

Thus, all sites should have the recommended patch or workaround implemented when it is released next week.

How to prepare?

Because we are looking at a patch upgrade or file replacements, we expect the fix to be rather straightforward and to only require minimal time per project. 

As this is a security patch, we highly advise you to put aside resources to get this fixed. This is also why we give you this information before we release the patch publicly.

How to upgrade on March 17th?

If you’re using Umbraco versions 8.5.x or 7.15.x then you’ll be able to upgrade to a new patch version of these releases the way you would normally upgrade. 

For sites running any other version, you have two options:

  • You can upgrade to the latest version within your major (8.5.5 or 7.15.4).
  • You can apply a workaround patch to avoid having to upgrade your site right now.

How do you check which version you are on? Reach out with this blog post to your technical contact for your Umbraco site and they will be able to take care of the necessary precautions. 


Where do I find the necessary information on the 17th?

On March 17th at 7 AM UTC, (find the time in your timezone here) a post will be released here on the Umbraco blog with a detailed description on how to fix this security issue.

We will create a dedicated forum post on our community site; Our.Umbraco, that we will link to in the blog post published next week.  

What about sites on Umbraco Cloud?

As mentioned in the intro, all Umbraco Cloud sites will automatically get the security fix applied on March 17th between 7 AM - 9 PM UTC.

Umbraco Cloud sites running 8.5.x and 7.15.x, will automatically be upgraded to 8.5.5 and 7.15.4. Cloud sites running other versions will automatically get a fix implemented and no Umbraco upgrades will be applied.

Thus, no action is needed for Umbraco Cloud users. 

Severity details:

Due to the severity of this issue we have chosen not to disclose any further details yet. This is to prevent any exploitation of the vulnerability before the patch is released. Currently, we have no indication that this vulnerability is being exploited in the wild.


The next update on this issue will be published on the Umbraco blog on March 17th at 7 AM UTC.

Loved by developers, used by thousands around the world!

One of the biggest benefits of using Umbraco is that we have the friendliest Open Source community on this planet. A community that's incredibly pro-active, extremely talented and helpful.

If you get an idea for something you would like to build in Umbraco, chances are that someone has already built it. And if you have a question, are looking for documentation or need friendly advise, go ahead and ask the Umbraco community on Our.

Number of active installs
502567
Number of active members in the community
221745
Known free Umbraco packages available
1211

Want to be updated on everything Umbraco?

Sign up for the Umbraco newsletter and get the latest news and special offers sent directly to your inbox