CVE-2025-46736 Overview
CVE-2025-46736 is an information disclosure vulnerability in Umbraco CMS, an open source .NET content management system. The flaw allows unauthenticated attackers to enumerate valid user accounts by measuring response time differences in the post-login API. By analyzing the timing of authentication responses, attackers can determine whether a submitted username or email corresponds to a registered account. The issue is tracked under [CWE-204: Observable Response Discrepancy] and affects Umbraco CMS versions prior to 10.8.10 and 13.8.1. Umbraco patched the issue in versions 10.8.10 and 13.8.1. No workarounds are available.
Critical Impact
Remote, unauthenticated attackers can enumerate valid Umbraco accounts via login API response timing, enabling targeted password spraying and credential-stuffing campaigns against confirmed users.
Affected Products
- Umbraco CMS versions prior to 10.8.10
- Umbraco CMS versions prior to 13.8.1
- Umbraco CMS (umbraco:umbraco_cms component)
Discovery Timeline
- 2025-05-06 - CVE-2025-46736 published to NVD
- 2025-09-03 - Last updated in NVD database
Technical Details for CVE-2025-46736
Vulnerability Analysis
The vulnerability is a timing-based side channel [CWE-204] in the Umbraco login API. When a user submits credentials, the server performs different code paths depending on whether the account exists. Valid usernames trigger password hash verification, which is computationally expensive. Invalid usernames short-circuit before hash verification runs. The measurable difference in response time between these two code paths leaks information about account existence.
An attacker can script repeated login attempts with candidate usernames and measure response latency. Statistically significant timing differences disclose which accounts are registered. This converts an authentication endpoint into an account enumeration oracle.
While the flaw does not directly grant access, it materially aids follow-on attacks. Attackers can build verified target lists for credential stuffing, password spraying, and phishing without triggering account lockout heuristics tied to invalid usernames.
Root Cause
The root cause is inconsistent processing time between the existing-account and non-existing-account branches of the login handler. The patches in commits 14fbd20665b453cbf094ccf4575b79a9fba07e03 and 34709be6cce9752dfa767dffbf551305f48839bc normalize the response timing so both code paths take comparable durations regardless of account existence.
Attack Vector
Exploitation requires only network access to the Umbraco login endpoint. No authentication, user interaction, or special privileges are required. The attacker issues login requests with target usernames, records server response times across multiple samples, and applies statistical analysis to distinguish valid accounts from invalid ones. See the GitHub Security Advisory GHSA-4g8m-5mj5-c8xg for additional technical context.
Detection Methods for CVE-2025-46736
Indicators of Compromise
- High volumes of failed login POST requests from a single source IP or distributed IP set against /umbraco backoffice login endpoints.
- Sequential or dictionary-style username submissions with consistent request timing patterns.
- Login traffic originating from non-business geographies or known anonymization infrastructure such as VPN or Tor exit nodes.
Detection Strategies
- Instrument the login endpoint with request-level logging that captures username, source IP, user agent, and server-side response latency.
- Apply rate-based alerting on the login route when request counts exceed normal baselines per source IP or session.
- Correlate failed login bursts with subsequent successful authentications from the same client to identify enumeration-followed-by-compromise patterns.
Monitoring Recommendations
- Forward Umbraco application logs and web server access logs to a centralized SIEM for retention and correlation.
- Track timing distributions of login responses to detect probing scripts attempting to measure server latency.
- Alert on enumeration sequences where many distinct usernames are attempted from the same client within short time windows.
How to Mitigate CVE-2025-46736
Immediate Actions Required
- Upgrade Umbraco CMS to version 10.8.10 or 13.8.1 or later as soon as possible.
- Enforce multi-factor authentication on all backoffice accounts to reduce the value of enumerated usernames.
- Restrict access to the Umbraco backoffice login endpoint by IP allowlist or VPN where operationally feasible.
- Deploy rate limiting and CAPTCHA on the login endpoint to slow automated enumeration attempts.
Patch Information
Umbraco released fixes in versions 10.8.10 and 13.8.1. The patches are available in the upstream commits 14fbd20 and 34709be. Full details are documented in the GitHub Security Advisory GHSA-4g8m-5mj5-c8xg.
Workarounds
- No vendor-supplied workarounds are available. Upgrading to a patched version is the only remediation.
- As compensating controls, place the backoffice behind a web application firewall with anti-automation rules and aggressive rate limiting on the login route.
- Monitor authentication logs for enumeration patterns and proactively reset credentials for accounts targeted in suspected campaigns.
# Verify installed Umbraco version against patched releases
# Patched: 10.8.10 and 13.8.1 or later
dotnet list package | grep -i Umbraco.Cms
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
