CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-Q3V2-XJ35-9GRX

GHSA-Q3V2-XJ35-9GRX: Unrestricted Configuration Resolution in Umbraco.AI Leads to Sensitive Information Exposure

Alon Barad
Alon Barad
Software Engineer

Jul 14, 2026·6 min read·5 visits

Executive Summary (TL;DR)

Umbraco.AI versions <= 1.13.0 allow administrators to extract sensitive application secrets (like database connection strings) by exploiting an unrestricted dynamic configuration resolver.

An information exposure vulnerability exists in Umbraco.AI package versions up to 1.13.0, where an authenticated backoffice user with elevated privileges can resolve and retrieve arbitrary configuration values from the global ASP.NET Core IConfiguration hierarchy.

Vulnerability Overview

The Umbraco.AI core integration layer allows administrators to configure integrations with external Large Language Model (LLM) providers like OpenAI, Anthropic, and AWS Bedrock. To simplify credential management and avoid hardcoding secrets in database tables, the package features a dynamic configuration lookup resolver. When a configuration parameter begins with a $ character, the integration layer intercepts this value and attempts to resolve it dynamically from the server host's application settings.

In versions of Umbraco.AI up to and including 1.13.0, this resolver mechanism does not perform any validation on the requested configuration paths. The design acts as an unrestricted reader of the application's global IConfiguration container. This allows high-privileged administrative accounts to request any configuration key in the system, creating an information disclosure vector.

This vulnerability is categorized as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The target attack surface is the Umbraco backoffice administrative interface, specifically the AI connection settings forms. Because the application exposes sensitive system parameters, an administrative attacker can escalate access by discovering infrastructure credentials.

Root Cause Analysis

The root cause lies in the overly permissive design of the dynamic configuration parsing engine within the Umbraco.AI core codebase. The system was designed to accept any string prefixed with $ as an alias pointing to the underlying IConfiguration provider. At runtime, the resolver extracts the prefix, parses the remaining path string, and invokes the standard configuration retrieval API without verifying if the path is restricted or if the target attribute is intended to be public.

For instance, when a developer configures an API key reference such as $OpenAI:ApiKey, the system reads the string, splits it by the delimiter :, and accesses _configuration["OpenAI:ApiKey"]. However, because there is no boundary validation, an attacker can input any logical path available within the JSON configurations, environment variables, or secret managers. This includes root-level properties or unrelated branches of the IConfiguration tree.

To trigger the resolution, the attacker must cause the system to evaluate the config setting. This typically occurs during standard operations such as verifying a connection, initiating an AI-driven agent task, or triggering validation schemas. When the system attempts to authenticate against the external provider using the resolved value, the secret is processed and, in many cases, exposed within the resulting application errors or network logs.

Code Analysis

The patch release 2026.06.2 introduced major structural changes to the way configuration values are parsed and resolved. In vulnerable versions, there were no restrictive guardrails on keys. In the patched versions (starting with 1.14.0), the system implements a strict default-deny model.

Below is an illustration of the configuration structure change before and after the patch:

// VULNERABLE APPROACH (Any key path could be resolved)
{
  "ApiKey": "$OpenAI:ApiKey",
  "ConnectionStrings": {
    "umbracoDbDSN": "Server=db;Database=umbraco;User Id=sa;Password=secret;"
  }
}
// PATCHED APPROACH (Strict default-deny prefix enforcement)
{
  "ApiKey": "$Umbraco:AI:Secrets:OpenAIApiKey"
}

The underlying C# configuration resolver was updated to validate the requested path against an allowlist. The default allowed prefixes are restricted to:

  • Umbraco:AI:Secrets (for highly sensitive credentials)
  • Umbraco:AI:Variables (for standard application options)

The dynamic resolver checks the parsed string prefix against AIOptions.AllowedConfigurationKeyPrefixes. If the key does not match these prefixes, the resolver rejects the request and throws a security exception. Additionally, values retrieved from Umbraco:AI:Secrets are only permitted to populate configuration properties explicitly marked as sensitive using metadata decorators (such as IsSensitive).

Exploitation Methodology

Exploitation requires the attacker to hold administrative privileges or have direct access to the AI configuration panel in the Umbraco backoffice. This elevated privilege requirement aligns with the CVSS Privileges Required (PR) metric of High. The target server must also run dynamic tests that return the configuration values or show validation feedback that leaks details to the client.

First, the attacker logs into the backoffice and navigates to the AI Connection settings page. The attacker locates a credential field, such as the API Key, and inputs a target key path from the application's configuration tree, prefixed with $. An example target path is $ConnectionStrings:umbracoDbDSN to target the main database connection details.

Second, the attacker saves the settings and triggers a connection test or runs an automated AI task. The backend resolver intercepts the configuration string, extracts ConnectionStrings:umbracoDbDSN, queries the global provider, and injects the raw database connection string into the outgoing connection parameters.

Finally, because the target server (e.g., OpenAI) rejects the database connection string as an invalid API key, the system generates an error. This error message is returned to the backoffice client or written to standard logs, exposing the plaintext database connection string, containing usernames and passwords, to the attacker.

Impact Assessment

The security impact of this vulnerability is significant, as it enables total confidentiality compromise of all application-level secrets managed by the host server. Although exploitation requires high-privileged access, an administrator is typically not intended to read system-wide infrastructure secrets such as raw database connection parameters, SMTP credentials, or third-party OAuth Client Secrets.

A compromised session with backoffice configuration access can be leveraged to escalate privileges across the wider corporate network. For example, extracting the umbracoDbDSN connection string grants direct read and write access to the underlying database, allowing the attacker to alter user tables, manipulate audit logs, or extract business-critical data.

If the application utilizes Azure Active Directory or other identity providers, the attacker can extract client secrets configured in appsettings.json, potentially gaining unauthorized access to cloud assets. Because the scope remains unchanged, the impact is confined to the immediate system and systems accessible via the stolen credentials.

Remediation & Mitigation

The primary remediation strategy is to upgrade all installed Umbraco.AI packages and related integration modules to version 1.14.0 or higher. The vendor released a comprehensive patch set in release bundle 2026.06.2 to ensure proper dependency synchronization.

Administrators must also migrate existing dynamic references within appsettings.json or Environment Variables to the newly enforced namespaces. All secrets must be relocated under Umbraco:AI:Secrets and all non-sensitive variables under Umbraco:AI:Variables. Legacy configurations using custom paths will fail to resolve under the default-deny posture unless explicitly allowed.

If legacy configuration paths must be retained temporarily, developers can configure an exception in the application's startup file. By adding custom paths to AIOptions.AllowedConfigurationKeyPrefixes, the resolver will continue to permit those specific paths. However, this configuration is discouraged as it reduces the effectiveness of the patch's defense-in-depth design.

Official Patches

UmbracoOfficial GitHub Patch Release (Tag 2026.06.2)
UmbracoSecurity Patch Compare Page (2026.06.1...2026.06.2)
UmbracoRaw Code Patch/Diff File

Technical Appendix

CVSS Score
4.9/ 10
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Affected Systems

Umbraco.AI Web Application PackagesUmbraco backoffice setups with LLM integrations enabled

Affected Versions Detail

Product
Affected Versions
Fixed Version
Umbraco.AI
Umbraco
<= 1.13.01.14.0
Umbraco.AI.Core
Umbraco
<= 1.13.x1.14.0
Umbraco.AI.Web
Umbraco
<= 1.13.x1.14.0
AttributeDetail
CWE IDCWE-200
Attack VectorNetwork
Privileges RequiredHigh
CVSS v3.1 Score4.9 (Medium)
Exploit StatusProof-of-Concept
CISA KEV StatusNot Listed
Remediation StatusPatches Released (1.14.0)

MITRE ATT&CK Mapping

T1552Unsecured Credentials
Credential Access
T1082System Information Discovery
Discovery
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor who is not authorized to have access to that information.

Vulnerability Timeline

Security patch released for Umbraco.AI (v1.14.0) and advisory published.
2026-06-04
GHSA-q3v2-xj35-9grx reviewed and published in the GitHub Advisory Database.
2026-07-14

References & Sources

  • [1]Official GitHub Security Advisory
  • [2]GitHub Advisory Database Entry
  • [3]Vendor Announcement Blog Post

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•29 minutes ago•GHSA-7RX3-5WX3-5V76
7.7

GHSA-7rx3-5wx3-5v76: Missing Authorization in Nebula-mesh Webhook Subscription API Enables Server-Side Request Forgery

Nebula-mesh allows non-admin operators to disable webhook SSRF (Server-Side Request Forgery) protection via the allow_private parameter. Low-privilege operators can configure webhook endpoints targeting internal endpoints and trigger lifecycle events on resources they own, bypassing network access controls.

Amit Schendel
Amit Schendel
4 views•4 min read
•about 2 hours ago•CVE-2025-61670
3.3

CVE-2025-61670: Memory Leak in Wasmtime C/C++ API WebAssembly GC Reference Handling

A technical analysis of CVE-2025-61670, a memory leak vulnerability in Wasmtime's C and C++ API bindings. The issue stems from a refactoring in version 37.0.0 that transitioned garbage-collected reference tracking to host heap-allocated OwnedRooted types without updating FFI ownership semantics.

Alon Barad
Alon Barad
4 views•7 min read
•about 2 hours ago•CVE-2026-50141
7.1

CVE-2026-50141: Agent Impersonation via gRPC Metadata Spoofing in Woodpecker CI

A critical authentication bypass vulnerability in Woodpecker CI allows authenticated agents to impersonate other agents by injecting spoofed agent_id values into gRPC metadata. This flaw is caused by the use of md.Append instead of md.Set on the server-side RPC authorizer.

Alon Barad
Alon Barad
6 views•6 min read
•about 2 hours ago•CVE-2026-50131
8.6

CVE-2026-50131: Server-Side Request Forgery Validation Bypass in Fedify

Fedify, a TypeScript framework for ActivityPub servers, implemented incomplete public URL validation inside the @fedify/fedify and @fedify/vocab-runtime libraries. The validator only blocked basic RFC 1918 networks, standard loopbacks, and link-local addresses, failing to restrict Carrier-Grade NAT (CGNAT), benchmarking, reserved, or IPv6 transition addresses. Consequently, unauthenticated remote attackers can bypass SSRF filters to access sensitive internal microservices and endpoints.

Amit Schendel
Amit Schendel
7 views•8 min read
•about 3 hours ago•CVE-2026-54250
5.8

CVE-2026-54250: Path Traversal Vulnerability in K3s etcd Snapshot Decompression

CVE-2026-54250 is a path traversal vulnerability in K3s, a lightweight Kubernetes distribution. The flaw exists within the etcd snapshot decompression functionality, allowing administrative users to write arbitrary files to the host filesystem via a maliciously crafted ZIP archive. Due to the high privilege level of the K3s process, this can result in total host compromise.

Alon Barad
Alon Barad
7 views•6 min read
•about 20 hours ago•GHSA-XF7X-X43H-RPQH
7.5

GHSA-xf7x-x43h-rpqh: Denial of Service via Unconstrained Circular Reference Resolution in json-repair

A Denial of Service vulnerability exists in the json-repair Python library due to an unconstrained loop during JSON Schema reference resolution. By submitting a circular JSON Schema, an attacker can trigger infinite recursion, causing 100 percent CPU exhaustion. Because this package is heavily utilized in LLM data-processing pipelines, this flaw presents a substantial threat to application availability.

Alon Barad
Alon Barad
7 views•5 min read