CVE-2026-27449: Unauthenticated Data Exposure via Broken Access Control in Umbraco Engage

Unauthenticated Data Exposure via Broken Access Control in Umbraco Engage Vulnerability ID: CVE-2026-27449 CVSS Score: 7.5 Published: 2026-02-27 A critical access control failure has been identified in Umbraco Engage (formerly uMarketingSuite), specifically affecting the Forms component. The vulnerability arises from missing authentication and authorization checks on sensitive API endpoints, allowing unauthenticated remote attackers to access proprietary marketing data and form submissions. By exploiting this flaw, attackers can bypass intended security boundaries and enumerate records via Insecure Direct Object References (IDOR), leading to significant data leakage of business intelligence and potentially personally identifiable information (PII). TL;DR CVE-2026-27449 permits unauthenticated attackers to query internal Umbraco Engage API endpoints. By manipulating ID parameters, attackers can scrape sensitive form and analytics data. Immediate patching to versions 16.2.1 or 17.1.1 is