CVE-2025-27602: Umbraco Allows a Restricted Editor User to Delete Media Item or Access Unauthorized Content
(updated )
Via manipulation of backoffice API URLs it’s possible for authenticated backoffice users to retrieve or delete content or media held within folders the editor does not have access to.
References
- github.com/advisories/GHSA-wx5h-wqfq-v698
- github.com/umbraco/Umbraco-CMS
- github.com/umbraco/Umbraco-CMS/commit/5b54bed406682ceff57903bf7d3c57814eef31a7
- github.com/umbraco/Umbraco-CMS/commit/7888b9a4ce5ae7f9bda7ff3bb705b8fcd2f1675d
- github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-wx5h-wqfq-v698
- nvd.nist.gov/vuln/detail/CVE-2025-27602
Detect and mitigate CVE-2025-27602 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →