CVE-2026-24687
📋 TL;DR
This vulnerability allows authenticated Umbraco backoffice users to perform path traversal attacks, enabling them to enumerate and read arbitrary files on the server filesystem. It affects Umbraco Forms versions 16 and 17 running on Mac/Linux systems. Umbraco Cloud users on Windows environments are not affected.
💻 Affected Systems
- Umbraco Forms
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could read sensitive system files, configuration files, or application source code, potentially leading to credential theft, privilege escalation, or further system compromise.
Likely Case
Malicious or compromised backoffice users reading application configuration files containing database credentials, API keys, or other sensitive data.
If Mitigated
With proper controls, the impact is limited to authorized users who already have backoffice access, though they could still access files beyond their intended permissions.
🎯 Exploit Status
Exploitation requires authenticated backoffice access. The vulnerability is in the export endpoint and involves path traversal sequences.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.4.1 and 17.1.1
Vendor Advisory: https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-hm5p-82g6-m3xh
Restart Required: Yes
Instructions:
1. Backup your Umbraco installation. 2. Update Umbraco Forms to version 16.4.1 (for v16) or 17.1.1 (for v17). 3. Restart the application. 4. Verify the update was successful.
🔧 Temporary Workarounds
WAF/Reverse Proxy Filtering
allConfigure WAF or reverse proxy to block requests containing path traversal sequences in the fileName parameter
# Example nginx rule:
location /umbraco/forms/api/v1/export {
if ($args ~* "fileName=.*\.\.(/|\\)") {
return 403;
}
}
🧯 If You Can't Patch
- Restrict network access to the Umbraco backoffice to trusted IP ranges only
- Block the /umbraco/forms/api/v1/export endpoint entirely if export feature is not required
🔍 How to Verify
Check if Vulnerable:
Check Umbraco Forms version in Umbraco backoffice under Settings > Packages > Installed PackagesCheck Version:
# Check via Umbraco backoffice UI or examine package.config file for Umbraco.Forms versionVerify Fix Applied:
Verify Umbraco Forms version is 16.4.1 or higher (for v16) or 17.1.1 or higher (for v17)📡 Detection & Monitoring
Log Indicators:
- Requests to /umbraco/forms/api/v1/export with fileName parameter containing ../ or ..\ sequences
- Unusual file access patterns from backoffice users
Network Indicators:
- HTTP requests with path traversal sequences in parameters
- Multiple export requests with varying fileName parameters
SIEM Query:
source="web_server" AND uri_path="/umbraco/forms/api/v1/export" AND (uri_query="*../*" OR uri_query="*..\\*")