Umbraco Vulnerable to Improper File Access and Credential Exposure in Dictionary Import Functionality

Description

Impact

Due to unsafe handling and deletion of temporary files during the dictionary upload process, an attacker with access to the backoffice can trigger predictable requests to temporary file paths. The application’s error responses (HTTP 500 when a file exists, 404 when it does not) allow the attacker to enumerate the existence of arbitrary files on the server’s filesystem. This vulnerability does not allow reading or writing file contents.

In certain configurations, incomplete clean-up of temporary upload files may additionally expose the NTLM hash of the Windows account running the Umbraco application. The direct impact of this vulnerability is therefore limited to confidentiality, which is reflected in its CVSS base score of 4.9

While the CVSS Base Score captures only the immediate effect, the practical risk varies significantly based on hosting environment and identity configuration. Umbraco Cloud sites run under low-privilege, isolated Azure App Service worker identities, which mitigates the impact of any credential exposure. In contrast, self-hosted deployments could run Umbraco using privileged local or domain accounts. If such an account’s NTLM hash is disclosed, an attacker may be able to:
- Perform NTLM relay attacks
- Crack the hash offline to recover the underlying password
- Authenticate as the compromised identity
- Access internal systems trusted by that identity
- Move laterally within the network
- Potentially escalate to full domain compromise in weakly segmented environments

These outcomes are not part of the CVSS base score, which only rates the immediate confidentiality impact, but represent realistic downstream consequences for installations using elevated or widely-trusted service accounts. Self-hosted environments running Umbraco under privileged identities are therefore at significantly higher risk.

Vulnerability found and reported by Tomasz Holeksa at Pentest Limited

Patches

The issue has been patched in 13.12.1.

Workarounds

The issue can only be exploited by authorized backoffice accounts with access to the "Translations" section.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2025-12-09 17:12:18 UTC
Updated
2025-12-09 21:37:26 UTC
GitHub reviewed
2025-12-09 17:12:18 UTC
NVD published
2025-12-09

EPSS Score

Score Percentile
0.05% 16.27%

CVSS Scores

Base score Version Severity Vector
4.9 3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:H)
They need powerful rights—admin, root, or similar—before this pays off.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-377 Insecure Temporary File
CWE-552 Files or Directories Accessible to External Parties

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
nuget Umbraco.Cms >= 10.0.0, <= 13.12.0 13.12.1

References

cvelogic Threat Intelligence