GHSA-6ffg-mjg7-585x: Umbraco Allows Improper API Access Control to Low-Privilege Users to Data Type Functionality

Skip to content

Navigation Menu

• • GitHub Copilot

    Write better code with AI

  • Security

    Find and fix vulnerabilities

  • Actions

    Automate any workflow

  • Codespaces

    Instant dev environments

  • Issues

    Plan and track work

  • Code Review

    Manage code changes

  • Discussions

    Collaborate outside of code

  • Code Search

    Find more, search less

• Explore

  • Learning Pathways
  • Events & Webinars
  • Ebooks & Whitepapers
  • Customer Stories
  • Partners
  • Executive Insights

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles

• • Enterprise platform

    AI-powered developer platform

• Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2025-27601

Umbraco Allows Improper API Access Control to Low-Privilege Users to Data Type Functionality

Moderate severity GitHub Reviewed Published Mar 11, 2025 in umbraco/Umbraco-CMS • Updated Mar 11, 2025

Package

nuget Umbraco.Cms.Api.Management (NuGet)

Affected versions

>= 15.0.0-rc1, <= 15.2.2

<= 14.3.2

Patched versions

15.2.3

14.3.3

Description

Impact

An improper API access control issue has been identified, allowing low-privilege, authenticated users to create and update data type information that should be restricted to users with access to the settings section.

Patches

Will be patched in 14.3.3 and 15.2.3.

Workarounds

None available.

References

• GHSA-6ffg-mjg7-585x
• umbraco/Umbraco-CMS@d9fb6df
• umbraco/Umbraco-CMS@ebb6a58

Published to the GitHub Advisory Database

Mar 11, 2025

Last updated

Mar 11, 2025

EPSS score