CVE-2026-24687 is a path traversal vulnerability classified under CWE-22 affecting Umbraco Forms, a form builder integrated with the Umbraco CMS. The flaw exists in versions 16.0.0 up to but not including 16.4.1, and 17.0.0 up to but not including 17.1.1. It allows an authenticated backoffice user on Mac or Linux installations to manipulate the fileName parameter in the /umbraco/forms/api/v1/export endpoint to traverse directories and read arbitrary files on the server filesystem. This is due to insufficient validation or sanitization of pathname inputs, permitting sequences like '../' or '..\' that escape the intended restricted directory. The vulnerability does not affect Umbraco Cloud users because their environment runs on Windows, which is not vulnerable to this specific issue. Exploitation requires low privilege authenticated access but no additional user interaction. The vulnerability has a CVSS 4.0 score of 6.0, indicating medium severity, with network attack vector, low attack complexity, and partial confidentiality impact. No known exploits are reported in the wild as of publication. Mitigation is strongly recommended by upgrading to patched versions 16.4.1 or 17.1.1. If immediate upgrade is not feasible, deploying WAF or reverse proxy rules to block path traversal patterns in the fileName parameter, restricting backoffice access to trusted IP ranges, or disabling the export endpoint if unused are effective interim controls.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive files on web servers running vulnerable Umbraco Forms versions on Mac or Linux. Attackers with authenticated backoffice access could enumerate and read configuration files, credentials, or other sensitive data, potentially leading to further compromise or data breaches. This risk is heightened for organizations with weak access controls or shared credentials. The impact on confidentiality is high, while integrity and availability are not directly affected. Given Umbraco's popularity among European SMEs and public sector entities for content management, exploitation could expose personal data protected under GDPR, leading to regulatory penalties and reputational damage. The medium severity rating indicates a significant but not critical threat, emphasizing the importance of timely patching and access restrictions to mitigate risk.

1. Upgrade Umbraco Forms to versions 16.4.1 or 17.1.1 immediately to apply the official patch. 2. If upgrading is delayed, configure Web Application Firewalls (WAFs) or reverse proxies to detect and block path traversal sequences such as '../' and '..\' in the fileName parameter of the /umbraco/forms/api/v1/export endpoint. 3. Restrict network access to the Umbraco backoffice interface by implementing IP whitelisting or VPN access to limit authenticated user exposure. 4. Disable or block the /umbraco/forms/api/v1/export endpoint entirely if the export functionality is not required in the deployment. 5. Enforce strong authentication and monitor backoffice user activity for unusual file access patterns. 6. Conduct regular security audits and vulnerability scans on Umbraco installations, especially on Mac/Linux servers. 7. Educate administrators on the risks of path traversal and the importance of patch management.