CVE-2025-46736

Published: May 6, 2025Modified: Sep 3, 2025

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: security-advisories@github.com (Secondary)

Description

Umbraco is a free and open source .NET content management system. Prior to versions 10.8.10 and 13.8.1, based on an analysis of the timing of post login API responses, it's possible to determine whether an account exists. The issue is patched in versions 10.8.10 and 13.8.1. No known workarounds are available.

Affected (2)

Products: Umbraco: Umbraco Cms

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Umbraco Umbraco Cms	Before 10.8.10
Umbraco Umbraco Cms	From 10.9.0 to 13.8.1

Related CWEs

Observable Response Discrepancy

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

References (3)

https://github.com/umbraco/Umbraco-CMS/commit/14fbd20665b453cbf094ccf4575b79a9fba07e03

Source: security-advisories@github.com

Patch

https://github.com/umbraco/Umbraco-CMS/commit/34709be6cce9752dfa767dffbf551305f48839bc

Source: security-advisories@github.com

Patch

https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-4g8m-5mj5-c8xg

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.