{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27449", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-19T17:25:31.100Z", "datePublished": "2026-02-26T21:51:14.512Z", "dateUpdated": "2026-02-26T21:51:14.512Z"}, "containers": {"cna": {"title": "Umbraco.Engage.Forms Allows Unauthorized Access to Multiple API Endpoints", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/umbraco/Umbraco.Engage.Issues/security/advisories/GHSA-86vq-ccwf-rm62", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/umbraco/Umbraco.Engage.Issues/security/advisories/GHSA-86vq-ccwf-rm62"}], "affected": [{"vendor": "umbraco", "product": "Umbraco.Engage.Forms", "versions": [{"version": "< 16.2.1", "status": "affected"}, {"version": ">= 17.0.0, < 17.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T21:51:14.512Z"}, "descriptions": [{"lang": "en", "value": "Umbraco Engage is a business intelligence platform. A vulnerability has been identified in Umbraco Engage prior to versions 16.2.1 and 17.1.1 where certain API endpoints are exposed without enforcing authentication or authorization checks. The affected endpoints can be accessed directly over the network without requiring a valid session or user credentials. By supplying a user-controlled identifier parameter (e.g., ?id=), an attacker can retrieve sensitive data associated with arbitrary records. Because no access control validation is performed, the endpoints are vulnerable to enumeration attacks, allowing attackers to iterate over identifiers and extract data at scale. An unauthenticated attacker can retrieve sensitive Engage-related data by directly querying the affected API endpoints. The vulnerability allows arbitrary record access through predictable or enumerable identifiers. The confidentiality impact is considered high. No direct integrity or availability impact has been identified. The scope of exposed data depends on the deployment but may include analytics data, tracking data, customer-related information, or other Engage-managed content. The vulnerability affects both v16 and v17. Patches have already been released. Users are advised to update to 16.2.1 or 17.1.1. No known workarounds are available."}], "source": {"advisory": "GHSA-86vq-ccwf-rm62", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Umbraco Engage is a business intelligence platform. A vulnerability has been identified in Umbraco Engage prior to versions 16.2.1 and 17.1.1 where certain API endpoints are exposed without enforcing authentication or authorization checks. The affected endpoints can be accessed directly over the network without requiring a valid session or user credentials. By supplying a user-controlled identifier parameter (e.g., ?id=), an attacker can retrieve sensitive data associated with arbitrary records. Because no access control validation is performed, the endpoints are vulnerable to enumeration attacks, allowing attackers to iterate over identifiers and extract data at scale. An unauthenticated attacker can retrieve sensitive Engage-related data by directly querying the affected API endpoints. The vulnerability allows arbitrary record access through predictable or enumerable identifiers. The confidentiality impact is considered high. No direct integrity or availability impact has been identified. The scope of exposed data depends on the deployment but may include analytics data, tracking data, customer-related information, or other Engage-managed content. The vulnerability affects both v16 and v17. Patches have already been released. Users are advised to update to 16.2.1 or 17.1.1. No known workarounds are available."}, {"lang": "es", "value": "Umbraco Engage es una plataforma de inteligencia de negocios. Una vulnerabilidad ha sido identificada en Umbraco Engage en versiones anteriores a la 16.2.1 y 17.1.1 donde ciertos endpoints de la API est\u00e1n expuestos sin aplicar comprobaciones de autenticaci\u00f3n o autorizaci\u00f3n. Los endpoints afectados pueden ser accedidos directamente a trav\u00e9s de la red sin requerir una sesi\u00f3n v\u00e1lida o credenciales de usuario. Al proporcionar un par\u00e1metro identificador controlado por el usuario (por ejemplo, ?id=), un atacante puede recuperar datos sensibles asociados con registros arbitrarios. Debido a que no se realiza ninguna validaci\u00f3n de control de acceso, los endpoints son vulnerables a ataques de enumeraci\u00f3n, permitiendo a los atacantes iterar sobre identificadores y extraer datos a escala. Un atacante no autenticado puede recuperar datos sensibles relacionados con Engage consultando directamente los endpoints de la API afectados. La vulnerabilidad permite el acceso arbitrario a registros a trav\u00e9s de identificadores predecibles o enumerables. El impacto en la confidencialidad se considera alto. No se ha identificado ning\u00fan impacto directo en la integridad o disponibilidad. El alcance de los datos expuestos depende de la implementaci\u00f3n, pero puede incluir datos anal\u00edticos, datos de seguimiento, informaci\u00f3n relacionada con clientes u otro contenido gestionado por Engage. La vulnerabilidad afecta tanto a la v16 como a la v17. Los parches ya han sido lanzados. Se aconseja a los usuarios actualizar a la 16.2.1 o 17.1.1. No se conocen soluciones alternativas disponibles."}], "id": "CVE-2026-27449", "lastModified": "2026-02-27T14:06:37.987", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-26T22:20:47.960", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/umbraco/Umbraco.Engage.Issues/security/advisories/GHSA-86vq-ccwf-rm62"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,16.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[17.0.0,17.1.1)"}}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "Umbraco.Engage.Forms", "source": "cna", "vendor": "umbraco"}, "product": "umbraco_forms", "vendor": "umbraco"}], "created": "2026-02-27T09:04:03.128778+00:00", "updated": "2026-02-27T09:04:03.128852+00:00", "vendors": ["umbraco", "umbraco$PRODUCT$umbraco_forms"]}