CVE-2026-31834
Published: 10 March 2026
Summary
CVE-2026-31834 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Umbraco Umbraco Cms. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 18.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-31834 is a privilege escalation vulnerability in Umbraco CMS, an ASP.NET content management system. It affects versions from 15.3.1 to before 16.5.1 and 17.2.2. The flaw arises from insufficient authorization enforcement in the user management functionality, where authenticated backoffice users permitted to manage users can modify user group memberships without validating their own privileges to assign highly privileged roles. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and maps to CWEs 269 (Improper Privilege Management), 284 (Improper Access Control), and 862 (Missing Authorization).
An authenticated backoffice user with user management permissions can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. By manipulating user group assignments, the attacker can elevate their own privileges or those of other users to highly privileged roles, potentially achieving full administrative control over the CMS instance and compromising confidentiality, integrity, and availability.
The vulnerability is addressed in Umbraco CMS versions 16.5.1 and 17.2.2, which implement proper authorization validation for role assignments. Additional details are available in the GitHub security advisory at https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-rhcg-3h8r-v6vp.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10937
Vulnerability details
Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges…
more
due to insufficient authorization enforcement when modifying user group memberships. The affected functionality does not properly validate whether a user has sufficient privileges to assign highly privileged roles. This vulnerability is fixed in 16.5.1 and 17.2.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a missing authorization flaw in user/group management that directly allows an authenticated user to assign unauthorized high-privilege roles, enabling both exploitation for privilege escalation (T1068) and improper account manipulation via role/group changes (T1098).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks before allowing modification of user group memberships, blocking the unauthorized privilege escalation path.
Requires that only the minimum necessary privileges are assignable, preventing backoffice users from granting themselves or others highly privileged roles.
Governs the creation and modification of user accounts and group memberships, requiring proper validation of who may perform those actions.