CVE-2026-31834
Published: 10 March 2026
Summary
CVE-2026-31834 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Umbraco Umbraco Cms. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 17.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
The access control policy and procedures directly mandate and enforce proper access control mechanisms across the organization.
Supervision and review of access control activities directly detects and remediates improper access configurations or usages.
Defining account types, requiring approvals for creation, specifying authorizations, monitoring usage, and reviewing accounts directly prevents improper access control by ensuring only authorized accounts exist and are used.
Provides a tamperproof, always-invoked, and verifiable mechanism to enforce access control policies.
Certification requires independent assessment confirming access controls are implemented correctly and effective.
Authorizing and reviewing internal connections enforces proper access control over system interfaces.
Enforcing physical and logical access restrictions for system changes directly prevents unauthorized actors from modifying the system.
Establishes authorization processes, verification, and supervision to prevent unauthorized access during maintenance activities.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a missing authorization flaw in user/group management that directly allows an authenticated user to assign unauthorized high-privilege roles, enabling both exploitation for privilege escalation (T1068) and improper account manipulation via role/group changes (T1098).
NVD Description
Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges…
more
due to insufficient authorization enforcement when modifying user group memberships. The affected functionality does not properly validate whether a user has sufficient privileges to assign highly privileged roles. This vulnerability is fixed in 16.5.1 and 17.2.2.
Deeper analysisAI
CVE-2026-31834 is a privilege escalation vulnerability in Umbraco CMS, an ASP.NET content management system. It affects versions from 15.3.1 to before 16.5.1 and 17.2.2. The flaw arises from insufficient authorization enforcement in the user management functionality, where authenticated backoffice users permitted to manage users can modify user group memberships without validating their own privileges to assign highly privileged roles. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and maps to CWEs 269 (Improper Privilege Management), 284 (Improper Access Control), and 862 (Missing Authorization).
An authenticated backoffice user with user management permissions can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. By manipulating user group assignments, the attacker can elevate their own privileges or those of other users to highly privileged roles, potentially achieving full administrative control over the CMS instance and compromising confidentiality, integrity, and availability.
The vulnerability is addressed in Umbraco CMS versions 16.5.1 and 17.2.2, which implement proper authorization validation for role assignments. Additional details are available in the GitHub security advisory at https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-rhcg-3h8r-v6vp.
Details
- CWE(s)