CVE-2025-27601 — Umbraco Allows Improper API Access Control to Low-Privilege Users to Data Type F

Description

### Impact An improper API access control issue has been identified, allowing low-privilege, authenticated users to create and update data type information that should be restricted to users with access to the settings section. ### Patches Will be patched in 14.3.3 and 15.2.3. ### Workarounds None available.

How to fix CVE-2025-27601

To remediate CVE-2025-27601, upgrade the affected package to a fixed version below.

—upgrade to 15.2.3 or later

Is CVE-2025-27601 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 15.0.0-rc1, < 15.2.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-27601
PATCHgithub.com/umbraco/Umbraco-CMS
WEBgithub.com/umbraco/Umbraco-CMS/commit/d9fb6df16e9adf8656181cac8497fc5ba23321cd
WEBgithub.com/umbraco/Umbraco-CMS/commit/ebb6a580dc1da2c772a99838dc7b4660bf77eb9c