CVE-2026-31832 is a broken object-level authorization vulnerability (CWE-639) found in Umbraco CMS, an ASP.NET-based content management system widely used for website content management. The vulnerability exists in a backoffice API endpoint responsible for managing domain-related data assignments to content nodes. Specifically, the API fails to enforce proper authorization checks on whether an authenticated user has permission to modify domain assignments on particular content nodes. As a result, users with authenticated access but limited privileges (e.g., editors restricted by user group or start node permissions) can exploit this flaw to assign or modify domain data on content nodes outside their authorized scope. This bypass of authorization controls can lead to unauthorized changes in website content structure or domain configurations, potentially causing content integrity issues or availability disruptions. The vulnerability affects Umbraco CMS versions from 14.0.0 up to but not including 16.5.1, and from 17.0.0 up to but not including 17.2.0. The flaw does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS v3.1 base score is 5.4, reflecting medium severity due to the impact on integrity and availability but no direct confidentiality loss. The issue has been addressed in versions 16.5.1 and 17.2.2 by implementing proper authorization enforcement on the affected API endpoint.

The primary impact of this vulnerability is unauthorized modification of domain assignments on content nodes within Umbraco CMS-managed websites. This can lead to integrity issues where content or domain configurations are altered without proper authorization, potentially causing website misconfigurations, content misrouting, or service disruptions. Although confidentiality is not directly impacted, the integrity and availability of website content can be compromised, which may affect user trust and business operations. Organizations relying on Umbraco CMS for critical web content management could face reputational damage, operational downtime, or increased administrative overhead to detect and remediate unauthorized changes. Since exploitation requires only authenticated access, insider threats or compromised user accounts increase the risk. The vulnerability does not appear to have known exploits in the wild yet, but the medium severity and ease of exploitation warrant prompt attention.

Organizations should upgrade affected Umbraco CMS instances to version 16.5.1 or 17.2.2 or later, where the vulnerability is patched. Until upgrades can be applied, administrators should restrict access to the backoffice API endpoints to trusted users only and review user group permissions to minimize the number of users with domain assignment privileges. Implementing strong authentication mechanisms, such as multi-factor authentication (MFA), can reduce the risk of compromised accounts being used to exploit this flaw. Regularly audit content node permissions and domain assignments to detect unauthorized changes promptly. Additionally, monitoring API access logs for unusual activity related to domain assignments can help identify exploitation attempts. Employing web application firewalls (WAFs) with custom rules to detect anomalous API calls may provide temporary mitigation. Finally, ensure that all CMS users are trained on security best practices to prevent credential misuse.