CVE-2026-46616 Overview
CVE-2026-46616 is an open redirect vulnerability in Umbraco, an ASP.NET-based content management system (CMS). The flaw affects Surface Controllers responsible for member-related operations in versions prior to 13.14.0 and 17.4.0. These controllers fail to validate redirect URLs, allowing Razor templates that derive RedirectUrl from user-controlled query parameters to redirect visitors to attacker-chosen destinations. The vulnerability is categorized as [CWE-601] URL Redirection to Untrusted Site. Umbraco released patched versions 13.14.0 and 17.4.0 to address the issue.
Critical Impact
Attackers can craft links that appear to point to a trusted Umbraco site but redirect victims to phishing or malware-hosting domains after user interaction.
Affected Products
- Umbraco CMS versions prior to 13.14.0
- Umbraco CMS versions prior to 17.4.0
- Razor templates that consume RedirectUrl from query parameters via member Surface Controllers
Discovery Timeline
- 2026-06-10 - CVE-2026-46616 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-46616
Vulnerability Analysis
Umbraco ships with several Surface Controllers that handle member workflows such as login, logout, registration, and password reset. These controllers accept a RedirectUrl value sourced from user-controlled query parameters. The framework forwards that value to Razor templates, which use it to redirect the user after the controller action completes.
In affected releases, the controllers do not validate whether RedirectUrl points to the application's own origin. An attacker can supply an absolute external URL, and the application issues an HTTP redirect to that destination. The flaw is a classic open redirect classified under [CWE-601].
The vulnerability requires user interaction. A victim must click a crafted link or submit a form pointing to an Umbraco member endpoint. The integrity and confidentiality impact stem from phishing scenarios where the trusted Umbraco domain lends legitimacy to the redirect chain.
Root Cause
The root cause is missing destination validation in member Surface Controllers. The controllers treat RedirectUrl as trusted input rather than validating it against an allow list of relative paths or same-origin URLs. Razor templates that read the parameter inherit this trust and emit the redirect without sanitization.
Attack Vector
An attacker constructs a URL targeting a vulnerable member endpoint, such as a login or logout action, and appends a RedirectUrl query parameter containing an external domain. The attacker delivers the link through email, chat, or a malicious website. When the victim clicks the link and completes the member operation, the Umbraco site redirects the browser to the attacker-controlled destination, where credential harvesting or drive-by download payloads can execute.
No verified public exploit code is available. See the GitHub Security Advisory GHSA-2qjj-h6wp-c7h7 for vendor-supplied technical details.
Detection Methods for CVE-2026-46616
Indicators of Compromise
- HTTP requests to Umbraco member endpoints containing RedirectUrl query parameters with absolute URLs or protocol-relative paths pointing to external domains
- Web server access logs showing 302 responses with Location headers pointing to domains outside the site's own origin
- Referrer spikes from third-party sites linking to member controller URLs with suspicious RedirectUrl values
Detection Strategies
- Inspect web server and application logs for RedirectUrl, returnUrl, or similar parameters whose values begin with http://, https://, or //
- Correlate inbound clicks on Umbraco member URLs with outbound 30x redirects to unrelated domains
- Hunt for phishing campaigns that reference your Umbraco site as the initial landing URL
Monitoring Recommendations
- Enable verbose request logging on Umbraco Surface Controllers handling member operations
- Alert when redirect responses route users to domains not on an allow list
- Monitor user reports of unexpected redirects originating from your Umbraco-powered properties
How to Mitigate CVE-2026-46616
Immediate Actions Required
- Upgrade Umbraco CMS to version 13.14.0 (LTS branch) or 17.4.0 or later
- Audit custom Razor templates that consume RedirectUrl from query parameters and add same-origin validation
- Review web application firewall (WAF) rules to block external URLs in redirect-style query parameters until patching completes
Patch Information
Umbraco addressed the issue in versions 13.14.0 and 17.4.0. Refer to GitHub Pull Request #22561 and GitHub Pull Request #22565 for the upstream code changes, and to the GitHub Security Advisory GHSA-2qjj-h6wp-c7h7 for full guidance.
Workarounds
- Override affected Razor templates to validate RedirectUrl against a list of allowed relative paths before issuing redirects
- Strip absolute URLs and protocol-relative values from RedirectUrl query parameters at the reverse proxy or WAF layer
- Disable or restrict access to public member endpoints that are not required by the site until patches are applied
# Example WAF rule pattern (vendor-neutral) to block external redirect values
# Reject requests where RedirectUrl begins with http://, https://, or //
SecRule ARGS:RedirectUrl "@rx ^(https?:)?//" \
"id:1004616,phase:2,deny,status:400,msg:'CVE-2026-46616 open redirect attempt'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
