SCA: security update for Umbraco.Engage.Forms (GHSA-86vq-ccwf-rm62)

high Tenable Self-Hosted Container Security Plugin ID 438044

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Umbraco Engage is a business intelligence platform. A vulnerability has been identified in Umbraco Engage
prior to versions 16.2.1 and 17.1.1 where certain API endpoints are exposed without enforcing
authentication or authorization checks. The affected endpoints can be accessed directly over the network
without requiring a valid session or user credentials. By supplying a user-controlled identifier parameter
(e.g., ?id=), an attacker can retrieve sensitive data associated with arbitrary records. Because no access
control validation is performed, the endpoints are vulnerable to enumeration attacks, allowing attackers
to iterate over identifiers and extract data at scale. An unauthenticated attacker can retrieve sensitive
Engage-related data by directly querying the affected API endpoints. The vulnerability allows arbitrary
record access through predictable or enumerable identifiers. The confidentiality impact is considered
high. No direct integrity or availability impact has been identified. The scope of exposed data depends on
the deployment but may include analytics data, tracking data, customer-related information, or other
Engage-managed content. The vulnerability affects both v16 and v17. Patches have already been released.
Users are advised to update to 16.2.1 or 17.1.1. No known workarounds are available. (CVE-2026-27449)

See Also

https://github.com/advisories/GHSA-86vq-ccwf-rm62

Plugin Details

Severity: High

ID: 438044

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 3/2/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2026-27449

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/27/2026

Vulnerability Publication Date: 2/26/2026

Reference Information

CVE: CVE-2026-27449