CVE-2025-27602: 
C# vulnerability analysis and mitigation

Umbraco, a free and open source .NET content management system, disclosed a security vulnerability (CVE-2025-27602) affecting versions prior to 10.8.9 and 13.7.1. The vulnerability allows authenticated backoffice users to bypass access controls and manipulate content through API URLs, enabling them to retrieve or delete content or media held within folders they should not have access to (GitHub Advisory).

The vulnerability stems from improper authorization controls in the backoffice API URL handling. The issue specifically relates to the parsing of node IDs in content and media permission querystring handlers, where the system failed to properly validate access permissions when multiple values were provided in the querystring. The vulnerability has been assigned a CVSS v3.1 base score of 4.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating network accessibility with high attack complexity, requiring low privileges and no user interaction (GitHub Advisory).

The vulnerability enables authenticated backoffice users to perform unauthorized actions, including retrieving and deleting content or media from folders they should not have access to. This represents a breach of access control mechanisms and could lead to unauthorized data access and potential data loss (GitHub Advisory).

The vulnerability has been patched in Umbraco versions 10.8.9 and 13.7.1. No workarounds are available for affected versions, making upgrading to the patched versions the only solution (GitHub Advisory).