Advisory Database
  • Advisories
  • Dependency Scanning
  1. nuget
  2. ›
  3. Umbraco.AI
  4. ›
  5. GHSA-q3v2-xj35-9grx

GHSA-q3v2-xj35-9grx: Umbraco.AI discloses sensitive application configuration values

July 14, 2026

Under certain configurations, a user with elevated privileges may be able to cause sensitive application configuration values, potentially including secret material such as credentials, to be disclosed. Successful exploitation could expose confidential information and, depending on what the affected installation stores in configuration, enable further compromise. Exploitation requires access to the AI section of the backoffice and a specific custom AI provider, which limits real-world exposure.

References

  • github.com/advisories/GHSA-q3v2-xj35-9grx
  • github.com/umbraco/Umbraco.AI/releases/tag/2026.06.2
  • github.com/umbraco/Umbraco.AI/security/advisories/GHSA-q3v2-xj35-9grx
  • umbraco.com/blog/security-advisory-june-4-2026-security-patch-for-umbracoai-is-now-available

Code Behaviors & Features

Detect and mitigate GHSA-q3v2-xj35-9grx with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 1.14.0

Fixed versions

  • 1.14.0

Solution

Upgrade to version 1.14.0 or above.

Impact 4.9 MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Learn more about CVSS

Weakness

  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Source file

nuget/Umbraco.AI/GHSA-q3v2-xj35-9grx.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 15 Jul 2026 12:18:56 +0000.