VDB
KO
MEDIUM 4.9

GHSA-q3v2-xj35-9grx

Umbraco.AI discloses sensitive application configuration values

Details

### Impact Under certain configurations, a user with elevated privileges may be able to cause sensitive application configuration values, potentially including secret material such as credentials, to be disclosed. Successful exploitation could expose confidential information and, depending on what the affected installation stores in configuration, enable further compromise. Exploitation requires access to the AI section of the backoffice and a specific custom AI provider, which limits real-world exposure.

### Patches Patched in 1.14.0

### Workarounds Since the patch is a breaking change and requires a version jump, it is not recommended to try and implement a workaround.

### Resources * Announcement Blog Post: https://umbraco.com/blog/security-advisory-june-4-2026-security-patch-for-umbracoai-is-now-available/

Are you affected?

Enter the version of the package you're using.

Affected packages

NuGet / Umbraco.AI
Introduced in: 0 Fixed in: 1.14.0
Fix dotnet add package Umbraco.AI --version 1.14.0

References