CVE-2026-46616

MEDIUM5.4

Umbraco.Cms: Open Redirect Vulnerability in Surface Controllers

Published: 5/21/2026Modified: 5/21/2026

Description

### Impact Some of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from user-controlled query parameters vulnerable to malicious redirect attacks. ### Patches The issue is resolved in versions 17.4.0 and 13.14.0. ### Workarounds If users cannot upgrade immediately, they can mitigate the issue in their own site by ensuring every Razor form that posts to `UmbLoginStatusController`, `UmbProfileController` or `UmbRegisterController` passes a concrete, trusted `RedirectUrl` into `Html.BeginUmbracoForm's` route values. For example: ```cshtml @using (Html.BeginUmbracoForm<UmbLoginStatusController>( "HandleLogout", new { RedirectUrl = Model.Url() })) { <button type="submit">Log out</button> } ``` ### Resources https://github.com/umbraco/Umbraco-CMS/pull/22565 https://github.com/umbraco/Umbraco-CMS/pull/22561

Affected packages (1)

NuGet/Umbraco.Cmsfrom 0, < 13.14.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Description

Affected packages (1)

CVSS scores

References (4)