Executive Summary

CVE-2026-46616 is an open redirect vulnerability in the Umbraco CMS affecting certain Surface Controllers prior to versions 13.14.0 and 17.4.0.

The vulnerability occurs because these controllers fail to validate redirect URLs properly. Specifically, Razor templates that derive the 'RedirectUrl' from user-controlled query parameters can be exploited to redirect users to malicious external websites.

This issue allows attackers to craft URLs that redirect users to potentially harmful sites, leveraging the CMS's redirect functionality without proper validation.

The vulnerability has a moderate severity with a CVSS score of 5.4 and requires user interaction but no privileges.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by enabling attackers to redirect your users to malicious external websites through the Umbraco CMS redirect functionality.

Such malicious redirects can be used for phishing attacks, malware distribution, or other social engineering exploits that compromise user trust and security.

The risk to confidentiality and integrity is low, and availability is not affected, but the user experience and trustworthiness of your site can be harmed.

The vulnerability does not require any special privileges and has low complexity, but it does require user interaction to be exploited.

Applying the patches in versions 13.14.0 and 17.4.0 or using the recommended workaround to validate redirect URLs can mitigate this risk.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves malicious redirect attacks exploiting the 'RedirectUrl' parameter in Razor templates derived from user-controlled query parameters in Umbraco CMS Surface Controllers.

Detection can focus on monitoring HTTP requests to the affected Surface Controllers (UmbLoginStatusController, UmbRegisterController, UmbProfileController) for suspicious or external URLs passed as RedirectUrl parameters.

Commands or methods to detect this might include inspecting web server logs or using network monitoring tools to filter requests containing RedirectUrl parameters with external URLs.

• Use grep or similar tools on web server logs to find RedirectUrl parameters: grep -i 'RedirectUrl=' /path/to/access.log
• Use network monitoring tools (e.g., Wireshark, tcpdump) with filters for HTTP GET or POST requests containing 'RedirectUrl' parameters.
• Implement application-level logging or debugging to capture and log RedirectUrl values received by the affected controllers.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Umbraco CMS to versions 13.14.0 or 17.4.0 or later, where the vulnerability has been patched.

As a temporary workaround, ensure that Razor forms passing RedirectUrl parameters to UmbLoginStatusController, UmbProfileController, or UmbRegisterController include only trusted, concrete RedirectUrl values in Html.BeginUmbracoForm's route values.

This means avoiding passing user-controlled or external URLs as RedirectUrl parameters and validating or sanitizing these URLs before use.

Useful 0 Not Useful 0