CVE-2025-27601

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-27601
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27601.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-27601
Aliases
Published
2025-03-11T15:30:09.761Z
Modified
2026-04-10T05:24:11.240800Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Umbraco Allows Improper API Access Control to Low-Privilege Users to Data Type Functionality
Details

Umbraco is a free and open source .NET content management system. An improper API access control issue has been identified Umbraco's API management package prior to versions 15.2.3 and 14.3.3, allowing low-privilege, authenticated users to create and update data type information that should be restricted to users with access to the settings section. The issue is patched in versions 15.2.3 and 14.3.3. No known workarounds are available.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/27xxx/CVE-2025-27601.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-285",
        "CWE-863"
    ]
}
References

Affected packages

Git / github.com/umbraco/umbraco-cms

Affected ranges

Type
GIT
Repo
https://github.com/umbraco/umbraco-cms
Events
Introduced
118029659a5bac0678362a8cefff1467ce6dafa3
Fixed
ebb6a580dc1da2c772a99838dc7b4660bf77eb9c
Database specific 
{
    "versions": [
        {
            "introduced": "15.0.0-rc1"
        },
        {
            "fixed": "15.2.3"
        }
    ]
}
Type
GIT
Repo
https://github.com/umbraco/umbraco-cms
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
d9fb6df16e9adf8656181cac8497fc5ba23321cd
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "14.3.3"
        }
    ]
}

Affected versions

4.*
4.7.2
Release-4.*
Release-4.5.2
Release-4.6.0
Other
Sprint-Juno-A
release-netcore-alpha002
release-netcore-alpha004
release-10.*
release-10.0.0-rc1
release-11.*
release-11.0.0-rc1
release-14.*
release-14.0.0--preview004
release-14.0.0--preview005
release-14.0.0--preview006
release-14.3.0
release-14.3.0-rc
release-14.3.1
release-14.3.2
release-6.*
release-6.1.0-beta
release-7.*
release-7.0.0
release-7.0.0-RC
release-7.0.0-beta
release-7.1.0
release-7.1.0-RC
release-7.1.1
release-7.1.2
release-7.1.3
release-7.1.4
release-7.2.0-alpha
release-7.2.0-beta
release-7.2.0-beta2
release-9.*
release-9.0.0
release-9.0.0-beta001
release-9.0.0-beta002
release-9.0.0-beta003
release-9.0.0-beta004
release-9.0.0-rc002
release-9.0.0-rc003
release-9.0.0-rc004
release-netcore-0.*
release-netcore-0.5.0-alpha001
v14.*
v14.0.0--preview005

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27601.json"