7 matches found
Improper Access Control
umbraco.cms.api.delivery is vulnerable to improper access control. The vulnerability is due to output caching not varying by the API key authorization header, which allows an attacker to access cached API responses without a valid key if they were previously requested by an authorized user...
CVE-2025-54425 Umbraco's Delivery API allows for cached requests to be returned with an invalid API key
Umbraco is an ASP.NET CMS. In versions 13.0.0 through 13.9.2, 15.0.0 through 15.4.1 and 16.0.0 through 16.1.0, the content delivery API can be restricted from public access where an API key must be provided in a header to authorize the request. It's also possible to configure output caching, such...
CVE-2025-54425 Umbraco's Delivery API allows for cached requests to be returned with an invalid API key
Umbraco is an ASP.NET CMS. In versions 13.0.0 through 13.9.2, 15.0.0 through 15.4.1 and 16.0.0 through 16.1.0, the content delivery API can be restricted from public access where an API key must be provided in a header to authorize the request. It's also possible to configure output caching, such...
CVE-2025-54425
CVE-2025-54425 affects Umbraco’s Delivery API. When public access is restricted by an API key header and output caching is enabled, the cache does not vary by the API key header, potentially returning cached responses to users without a valid API key if a prior request with a valid key occurred. ...
Missing Authorization
Overview Umbraco.Cms.Api.Delivery is a presentation layer for the Umbraco CMS Delivery API. Affected versions of this package are vulnerable to Missing Authorization in IOutputCachePolicy.CacheRequestAsync. An attacker can access sensitive information by sending requests without a valid API key a...
Umbraco Delivery API allows for cached requests to be returned with an invalid API key
Impact Umbraco's content delivery API can be restricted from public access such that an API key must be provided in a header to authorize the request. It's also possible to configure output caching, such that the delivery API outputs will be cached for a period of time, improving performance...
GHSA-75VQ-QVHR-7FFR Umbraco Delivery API allows for cached requests to be returned with an invalid API key
Impact Umbraco's content delivery API can be restricted from public access such that an API key must be provided in a header to authorize the request. It's also possible to configure output caching, such that the delivery API outputs will be cached for a period of time, improving performance...