GHSA-2qjj-h6wp-c7h7
Umbraco.Cms: Open Redirect Vulnerability in Surface Controllers
Details
### Impact Some of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from user-controlled query parameters vulnerable to malicious redirect attacks.
### Patches The issue is resolved in versions 17.4.0 and 13.14.0.
### Workarounds If users cannot upgrade immediately, they can mitigate the issue in their own site by ensuring every Razor form that posts to `UmbLoginStatusController`, `UmbProfileController` or `UmbRegisterController` passes a concrete, trusted `RedirectUrl` into `Html.BeginUmbracoForm's` route values.
For example:
```cshtml @using (Html.BeginUmbracoForm<UmbLoginStatusController>( "HandleLogout", new { RedirectUrl = Model.Url() })) { <button type="submit">Log out</button> } ```
### Resources
https://github.com/umbraco/Umbraco-CMS/pull/22565 https://github.com/umbraco/Umbraco-CMS/pull/22561
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 13.14.0 dotnet add package Umbraco.Cms --version 13.14.0 17.3.0-rc Fixed in: 17.4.0 dotnet add package Umbraco.Cms --version 17.4.0 References
- https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-2qjj-h6wp-c7h7 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-46616 [ADVISORY]
- https://github.com/umbraco/Umbraco-CMS/pull/22561 [WEB]
- https://github.com/umbraco/Umbraco-CMS/pull/22565 [WEB]
- https://github.com/umbraco/Umbraco-CMS [PACKAGE]