CVE-2026-24687
Path Traversal in Umbraco Forms Allows Authenticated File Access
Publication date: 2026-01-29
Last updated on: 2026-03-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| umbraco | umbraco_forms | From 16.0.0 (inc) to 16.4.1 (exc) |
| umbraco | umbraco_forms | From 17.0.0 (inc) to 17.1.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24687 is a path traversal and file enumeration vulnerability in Umbraco Forms versions prior to 16.4.1 and 17.1.1 on Mac and Linux systems. It allows an authenticated backoffice user to traverse directories and enumerate files on the system's filesystem, reading their contents. This happens because the software does not properly sanitize input used to build file paths, allowing special path elements like "../" to access files outside the intended directories. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive file contents on the server where Umbraco Forms is installed. An authenticated backoffice user could read files they should not have access to, potentially exposing confidential information. However, it does not affect system integrity or availability, and it does not impact Umbraco Cloud users running on Windows. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can focus on monitoring requests to the /umbraco/forms/api/v1/export endpoint for path traversal patterns in the fileName parameter, such as '../' or '..\'. Network or web server logs can be searched for these patterns. For example, using grep on access logs: grep -E 'fileName=.*(\.\./|\.\.\\)' access.log. Additionally, monitoring authenticated backoffice user activity for unusual export requests may help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Upgrading Umbraco Forms to patched versions 16.4.1 or 17.1.1. 2) If upgrading is not possible immediately, configure a Web Application Firewall (WAF) or reverse proxy to block requests containing path traversal sequences ('../' or '..\') in the fileName parameter of the export API endpoint. 3) Restrict network access to the Umbraco backoffice to trusted IP ranges. 4) Block the /umbraco/forms/api/v1/export endpoint entirely if the export feature is not required. [1]