Executive Summary

CVE-2026-24687 is a path traversal and file enumeration vulnerability in Umbraco Forms versions prior to 16.4.1 and 17.1.1 on Mac and Linux systems. It allows an authenticated backoffice user to traverse directories and enumerate files on the system's filesystem, reading their contents. This happens because the software does not properly sanitize input used to build file paths, allowing special path elements like "../" to access files outside the intended directories. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive file contents on the server where Umbraco Forms is installed. An authenticated backoffice user could read files they should not have access to, potentially exposing confidential information. However, it does not affect system integrity or availability, and it does not impact Umbraco Cloud users running on Windows. [1]

Useful 0 Not Useful 0

Detection Guidance

Detection can focus on monitoring requests to the /umbraco/forms/api/v1/export endpoint for path traversal patterns in the fileName parameter, such as '../' or '..\'. Network or web server logs can be searched for these patterns. For example, using grep on access logs: grep -E 'fileName=.*(\.\./|\.\.\\)' access.log. Additionally, monitoring authenticated backoffice user activity for unusual export requests may help detect exploitation attempts. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include: 1) Upgrading Umbraco Forms to patched versions 16.4.1 or 17.1.1. 2) If upgrading is not possible immediately, configure a Web Application Firewall (WAF) or reverse proxy to block requests containing path traversal sequences ('../' or '..\') in the fileName parameter of the export API endpoint. 3) Restrict network access to the Umbraco backoffice to trusted IP ranges. 4) Block the /umbraco/forms/api/v1/export endpoint entirely if the export feature is not required. [1]

Useful 0 Not Useful 0