Cyber Resilience

CVE-2026-31834

High

Published: 10 March 2026

Published
10 March 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0006 18.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31834 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Umbraco Umbraco Cms. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 18.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-31834 is a privilege escalation vulnerability in Umbraco CMS, an ASP.NET content management system. It affects versions from 15.3.1 to before 16.5.1 and 17.2.2. The flaw arises from insufficient authorization enforcement in the user management functionality, where authenticated backoffice users permitted to manage users can modify user group memberships without validating their own privileges to assign highly privileged roles. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and maps to CWEs 269 (Improper Privilege Management), 284 (Improper Access Control), and 862 (Missing Authorization).

An authenticated backoffice user with user management permissions can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. By manipulating user group assignments, the attacker can elevate their own privileges or those of other users to highly privileged roles, potentially achieving full administrative control over the CMS instance and compromising confidentiality, integrity, and availability.

The vulnerability is addressed in Umbraco CMS versions 16.5.1 and 17.2.2, which implement proper authorization validation for role assignments. Additional details are available in the GitHub security advisory at https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-rhcg-3h8r-v6vp.

EU & UK References

Vulnerability details

Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges…

more

due to insufficient authorization enforcement when modifying user group memberships. The affected functionality does not properly validate whether a user has sufficient privileges to assign highly privileged roles. This vulnerability is fixed in 16.5.1 and 17.2.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

The vulnerability is a missing authorization flaw in user/group management that directly allows an authenticated user to assign unauthorized high-privilege roles, enabling both exploitation for privilege escalation (T1068) and improper account manipulation via role/group changes (T1098).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-24011Same product: Umbraco Umbraco Cms
CVE-2012-10054Same product: Umbraco Umbraco Cms
CVE-2026-33318Shared CWE-284, CWE-862
CVE-2025-68924Same vendor: Umbraco
CVE-2026-35182Shared CWE-862
CVE-2026-34393Shared CWE-269
CVE-2025-8322Shared CWE-862
CVE-2026-4261Shared CWE-862
CVE-2025-8310Shared CWE-862
CVE-2026-44730Shared CWE-284

Affected Assets

umbraco
umbraco cms
15.3.1 — 16.5.1 · 17.0.0 — 17.2.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks before allowing modification of user group memberships, blocking the unauthorized privilege escalation path.

prevent

Requires that only the minimum necessary privileges are assignable, preventing backoffice users from granting themselves or others highly privileged roles.

prevent

Governs the creation and modification of user accounts and group memberships, requiring proper validation of who may perform those actions.

References