CVE-2026-27449
Received Received - Intake
Unauthenticated API Enumeration in Umbraco Engage Exposes Sensitive Data

Publication date: 2026-02-26

Last updated on: 2026-02-26

Assigner: GitHub, Inc.

Description
Umbraco Engage is a business intelligence platform. A vulnerability has been identified in Umbraco Engage prior to versions 16.2.1 and 17.1.1 where certain API endpoints are exposed without enforcing authentication or authorization checks. The affected endpoints can be accessed directly over the network without requiring a valid session or user credentials. By supplying a user-controlled identifier parameter (e.g., ?id=), an attacker can retrieve sensitive data associated with arbitrary records. Because no access control validation is performed, the endpoints are vulnerable to enumeration attacks, allowing attackers to iterate over identifiers and extract data at scale. An unauthenticated attacker can retrieve sensitive Engage-related data by directly querying the affected API endpoints. The vulnerability allows arbitrary record access through predictable or enumerable identifiers. The confidentiality impact is considered high. No direct integrity or availability impact has been identified. The scope of exposed data depends on the deployment but may include analytics data, tracking data, customer-related information, or other Engage-managed content. The vulnerability affects both v16 and v17. Patches have already been released. Users are advised to update to 16.2.1 or 17.1.1. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-27449
EUVD
EUVD-2026-8896
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
umbraco engage to 16.2.1|end_excluding=17.1.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Umbraco Engage versions prior to 16.2.1 and 17.1.1, where certain API endpoints do not enforce authentication or authorization checks.

An attacker can access these endpoints directly over the network without needing valid user credentials or a session.

By supplying a user-controlled identifier parameter (such as ?id=), the attacker can retrieve sensitive data associated with arbitrary records.

Because there is no access control validation, attackers can perform enumeration attacks to iterate over identifiers and extract large amounts of data.

Impact Analysis

The vulnerability allows unauthenticated attackers to retrieve sensitive Engage-related data, potentially including analytics, tracking, customer information, or other content managed by Umbraco Engage.

The confidentiality of data is highly impacted, as attackers can access sensitive information without authorization.

There is no identified impact on data integrity or system availability.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update Umbraco Engage to version 16.2.1 or 17.1.1, where the issue has been patched.

No known workarounds are available, so applying the official update is the recommended action.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27449. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart