Security Advisory Blog Medium Severity Header

Security Advisory: Security patches for Umbraco 8, 10, 11, and 12 now available

We recommend you upgrade to the latest patches.

Bjarke Mikkelsen Berg
Written by Bjarke Berg

Two medium-severity security issues have been identified in Umbraco CMS. These vulnerabilities could lead to users executing operations not intended with their permissions. Today, we have released patches for all affected versions and advise you to upgrade to the latest patch. Projects running on Umbraco Cloud will get the fix automatically today. The security issue is not publicly known.

Who’s affected?

Versions affected:

  • Umbraco 8.0.0-8.18.9 (version 8 is affected by 1 medium-severity issue. Upgrading to the latest patch will fix this as well as some low-severity issues)

  • Umbraco 10.0.0-10.8.0 (version 10 is affected by 2 medium-severity issues. Upgrading to the latest patch will fix both of these and a low-severity issue)

  • Umbraco 12.0.0-12.3.3. (version 12 is affected by 2 medium-severity issues. Upgrading to the latest patch will fix both of these and a low-severity issue))

Umbraco 7, 9, and 11 are likely also subject to the vulnerabilities but are all end-of-life versions and will not receive a patch. We recommend upgrading to a supported major version.

Umbraco 7 XLTS customers have been informed directly via email of their needed action.

How to fix the vulnerability

Patches are available for the latest minor on each supported major version. Sites will need to update to the latest minor version before the patch can be applied. As we are looking at a patch upgrade, and the fix is straightforward, we expect the patch upgrade to only require minimal effort per project. 

Instructions on patch availability and how to upgrade can be found in the release notes:

Update 13/12/2023: 

Due to a discovered non-security-related regression issue, a new patch is ready. We encourage you to update to the latest patch:

Umbraco 8.18.11

Umbraco 10.8.2

Umbraco 12.3.5

All Umbraco Cloud projects have automatically been updated to this new patch. 

Umbraco 7 XLTS versions are not affected by the regression issue.

Automatic fix on Umbraco Cloud

All Umbraco Cloud sites running the latest minor of a supported version are patched via the automated patch feature. The security patches will be rolled out to Umbraco Cloud today to ensure all sites have been fixed. 

If a project is not running the latest minor version (8.18.x, 10.4.x, or 12.3.x), the patch can be applied using the minor upgrade feature. Please note that we’ve recently added the option to get automatic minor upgrades on Umbraco Cloud. All new Cloud projects will have this option turned on by default, but for existing projects, we highly encourage you to turn on this function for your projects to always be on the latest and safest minor and patch version. 

You can opt-in to enable Automatic Minor Upgrades directly from Umbraco Cloud on the new Automatic Upgrades page.

Screenshot form the Umbraco Cloud Portal showing the option to turn on Automatic Minor Upgrades

What we know about the vulnerability

Both vulnerabilities require access to the backoffice before they can be exploited. Further details will be revealed on the Security Advisories after some time. 


We’d like to thank Jeroen Koppenol, Raphael Silva, Emma Garland, GiantAtPlay and roie-shmuel for reporting the issues and responsible disclosure of details regarding the vulnerability.

Any questions?

If you have any questions or comments about this advisory, make sure to get in touch with us directly on the Security Advisories. Alternatively, you can reach out to the dedicated security email address listed at Here you can also find information on how we handle security-related issues.

Loved by developers, used by thousands around the world!

One of the biggest benefits of using Umbraco is that we have the friendliest Open Source community on this planet. A community that's incredibly pro-active, extremely talented and helpful.

If you get an idea for something you would like to build in Umbraco, chances are that someone has already built it. And if you have a question, are looking for documentation or need friendly advice, go ahead and ask on the community forums.

Want to be updated on everything Umbraco?

Sign up for the Umbraco newsletter and get the latest news and special offers sent directly to your inbox