CVE-2026-31833 Overview
CVE-2026-31833 is a Stored Cross-Site Scripting (XSS) vulnerability in Umbraco CMS, an ASP.NET content management system. The vulnerability exists in versions 16.2.0 through 16.5.0 and versions prior to 17.2.2. An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration (using the regex /.+/) in the UFM DOMPurify instance, event handler attributes such as onclick and onload, when used within Umbraco web components (umb-*, uui-*, ufm-*), were not properly filtered.
Critical Impact
Authenticated attackers with backoffice Settings access can inject persistent malicious scripts that execute in the context of other administrator sessions, potentially leading to session hijacking, privilege escalation, or unauthorized administrative actions.
Affected Products
- Umbraco CMS versions 16.2.0 to before 16.5.1
- Umbraco CMS versions 17.x to before 17.2.2
- Umbraco backoffice Settings module
Discovery Timeline
- 2026-03-10 - CVE CVE-2026-31833 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-31833
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting (XSS). The root issue lies in the DOMPurify sanitization configuration used within the Umbraco Frontend Module (UFM).
DOMPurify is a widely-used XSS sanitizer library that filters potentially dangerous HTML content. However, Umbraco's implementation used an overly permissive regular expression (/.+/) for the attributeNameCheck configuration option. This regex effectively allows any attribute name to pass through the sanitization process, including dangerous event handler attributes like onclick, onmouseover, and onload.
The vulnerability specifically manifests when these event handler attributes are embedded within Umbraco's custom web components (prefixed with umb-*, uui-*, or ufm-*). Since these components are part of Umbraco's backoffice UI framework, the malicious payloads persist in the database and execute whenever other authenticated users view the affected property type descriptions.
Root Cause
The root cause is the misconfigured DOMPurify attributeNameCheck option using the overly permissive regex pattern /.+/. This configuration was intended to allow custom attributes used by Umbraco's web components but inadvertently permitted event handler attributes that should have been stripped during sanitization. The proper configuration should have used a more restrictive pattern that explicitly blocked known dangerous attributes or only allowed a specific allowlist of safe attribute patterns.
Attack Vector
The attack requires an authenticated user with access to the Umbraco backoffice Settings section. The attacker navigates to property type configuration and injects malicious HTML containing event handler attributes (such as onclick or onload) within the property type description field. When other administrators or content editors view these property type descriptions, the injected JavaScript executes in their browser session with their privileges.
This is a network-based attack that requires high privileges (backoffice Settings access) but no user interaction once the payload is injected, as the malicious content automatically renders when the affected pages are viewed.
The vulnerability mechanism exploits the permissive DOMPurify configuration to bypass XSS protections. An attacker could craft malicious HTML using Umbraco web components with embedded event handlers. For detailed technical information and proof of concept examples, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-31833
Indicators of Compromise
- Unexpected JavaScript event handler attributes (onclick, onload, onmouseover, onerror) in property type description fields within the Umbraco database
- Suspicious HTML content containing umb-*, uui-*, or ufm-* elements with inline event handlers
- Anomalous backoffice user activity in Settings sections, particularly bulk modifications to property types
- Browser console errors or unexpected script execution warnings when viewing property type configurations
Detection Strategies
- Implement Content Security Policy (CSP) headers with strict script-src directives to detect and block inline script execution attempts
- Monitor database tables storing property type descriptions for HTML content containing event handler patterns
- Deploy Web Application Firewall (WAF) rules to detect XSS patterns in requests to backoffice endpoints
- Review audit logs for unusual modifications to property type configurations by backoffice users
Monitoring Recommendations
- Enable detailed logging for all backoffice Settings modifications, including user identity and content changes
- Configure alerting for property type description updates containing suspicious HTML patterns
- Implement real-time monitoring of client-side script execution anomalies in the backoffice interface
- Establish baseline behavioral profiles for backoffice users and alert on deviations in Settings access patterns
How to Mitigate CVE-2026-31833
Immediate Actions Required
- Upgrade Umbraco CMS to version 16.5.1 or later for 16.x installations
- Upgrade Umbraco CMS to version 17.2.2 or later for 17.x installations
- Audit existing property type descriptions for potentially malicious HTML content
- Review backoffice user permissions and restrict Settings access to only essential personnel
- Implement additional Content Security Policy headers as a defense-in-depth measure
Patch Information
Umbraco has released security patches in versions 16.5.1 and 17.2.2 that address this vulnerability. The fix corrects the DOMPurify attributeNameCheck configuration to properly filter dangerous event handler attributes while still allowing legitimate custom attributes used by Umbraco web components.
For detailed patch information and upgrade instructions, refer to the GitHub Security Advisory.
Workarounds
- Restrict backoffice Settings access to only trusted administrators until patches can be applied
- Implement a Web Application Firewall (WAF) rule to filter requests containing event handler attributes in property type description fields
- Enable and enforce Content Security Policy headers to mitigate the impact of any successful XSS injection
- Conduct a manual audit of all property type descriptions to identify and remove any suspicious HTML content
# Example: Implementing CSP headers in IIS web.config for Umbraco
# Add to your web.config under <system.webServer><httpProtocol><customHeaders>
# <add name="Content-Security-Policy" value="default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'" />
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
