Umbraco HQ announced a medium-severity security issue affecting versions of Umbraco from Umbraco 8 to Umbraco 11, including the now out of support Umbraco 9.  All customers are advised to have their sites updated with the available patches.


Updated 29 March 2023: Umbraco have announced an additional patch release due to another vulnerability found.  The level of impact has not changed however.


As per common practice, details of the exploit have not been released, however we do know that Umbraco 7 is not affected by this vulnerability.  We also know that the exploit only applies once you've logged in and have access to the Umbraco backoffice (the content editing and configuration environment for the site hosted on Umbraco).

Key Facts

  • Umbraco 7 is not affected
  • Umbraco 9 is affected, however there is no patch available.  If your site is running on Umbraco 9, it's recommended to upgrade to the latest Long Term Support (LTS) version - currently Umbraco 10.
  • This exploit only affects the site when someone is logged in and has access to the Umbraco backoffice.
  • Umbraco Cloud hosted sites will have already been patched by Umbraco HQ by now

If your site is running on Umbraco Cloud you should still have someone review your sites and ensure that the upgrade has been successfully completed.

Details on the vulnerability and how to upgrade can be found on Umbraco HQ's blog here: Security Advisory, March 21, 2023: Patch is now available (

If you would like support or assistance in upgrading your site reach out to us and we'll be glad to help.

Share this article... Twitter Facebook LinkedIn

Keep Reading