CVE-2026-46616: Umbraco.Cms: Open Redirect Vulnerability in Surface Controllers

May 21, 2026

Some of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive ‘RedirectUrl’ from user-controlled query parameters vulnerable to malicious redirect attacks.

References

github.com/advisories/GHSA-2qjj-h6wp-c7h7
github.com/umbraco/Umbraco-CMS/pull/22561
github.com/umbraco/Umbraco-CMS/pull/22565
github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-2qjj-h6wp-c7h7
nvd.nist.gov/vuln/detail/CVE-2026-46616

Code Behaviors & Features

Detect and mitigate CVE-2026-46616 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →