CVE-2026-27449
Unauthenticated API Enumeration in Umbraco Engage Exposes Sensitive Data
Publication date: 2026-02-26
Last updated on: 2026-02-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| umbraco | engage | to 16.2.1|end_excluding=17.1.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Umbraco Engage versions prior to 16.2.1 and 17.1.1, where certain API endpoints do not enforce authentication or authorization checks.
An attacker can access these endpoints directly over the network without needing valid user credentials or a session.
By supplying a user-controlled identifier parameter (such as ?id=), the attacker can retrieve sensitive data associated with arbitrary records.
Because there is no access control validation, attackers can perform enumeration attacks to iterate over identifiers and extract large amounts of data.
How can this vulnerability impact me? :
The vulnerability allows unauthenticated attackers to retrieve sensitive Engage-related data, potentially including analytics, tracking, customer information, or other content managed by Umbraco Engage.
The confidentiality of data is highly impacted, as attackers can access sensitive information without authorization.
There is no identified impact on data integrity or system availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update Umbraco Engage to version 16.2.1 or 17.1.1, where the issue has been patched.
No known workarounds are available, so applying the official update is the recommended action.