Skip to content

Umbraco.Engage.Forms Allows Unauthorized Access to Multiple API Endpoints

High severity GitHub Reviewed Published Feb 26, 2026 in umbraco/Umbraco.Engage.Issues • Updated Feb 27, 2026

Package

nuget Umbraco.Engage.Forms (NuGet)

Affected versions

< 16.2.1
>= 17.0.0, < 17.1.1

Patched versions

16.2.1
17.1.1

Description

Description

A vulnerability has been identified in Umbraco Engage where certain API endpoints are exposed without enforcing authentication or authorization checks. The affected endpoints can be accessed directly over the network without requiring a valid session or user credentials. By supplying a user-controlled identifier parameter (e.g., ?id=), an attacker can retrieve sensitive data associated with arbitrary records.

Because no access control validation is performed, the endpoints are vulnerable to enumeration attacks, allowing attackers to iterate over identifiers and extract data at scale.

Impact

An unauthenticated attacker can retrieve sensitive Engage-related data by directly querying the affected API endpoints. The vulnerability allows arbitrary record access through predictable or enumerable identifiers.

The confidentiality impact is considered high. No direct integrity or availability impact has been identified.

The scope of exposed data depends on the deployment but may include analytics data, tracking data, customer-related information, or other Engage-managed content.

Patches

The vulnerability affects both v16 and v17. Patches have already been released. Users are advised to update to 16.2.1 or 17.1.1

References

@Amalie-Wowern Amalie-Wowern published to umbraco/Umbraco.Engage.Issues Feb 26, 2026
Published by the National Vulnerability Database Feb 26, 2026
Published to the GitHub Advisory Database Feb 27, 2026
Reviewed Feb 27, 2026
Last updated Feb 27, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS score

Weaknesses

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Learn more on MITRE.

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. Learn more on MITRE.

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. Learn more on MITRE.

CVE ID

CVE-2026-27449

GHSA ID

GHSA-86vq-ccwf-rm62

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.