CVE-2026-45260 in Pimcoreinfo

Summary

by MITRE • 07/17/2026

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.7, Pimcore's WebDAV asset endpoint exposes a MOVE operation through /asset/webdav{path} without an authentication plugin in bundles/CoreBundle/src/Controller/WebDavController.php, and models/Asset/WebDAV/Tree.php performs asset mutation and deletion through models/Asset.php before checking a current Pimcore user or the rename, delete, create, or publish permissions, allowing unauthorized asset deletion, moves, or overwrites. This issue is fixed in versions 11.5.17 (LTS) and 12.3.7.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/17/2026

The vulnerability described affects Pimcore's WebDAV asset endpoint implementation, specifically exposing a critical security flaw through the MOVE operation at /asset/webdav{path} without proper authentication mechanisms. This issue exists in versions prior to 11.5.17 (LTS) and 12.3.7, representing a fundamental breakdown in access control enforcement within the platform's core asset management functionality. The vulnerability stems from the absence of authentication plugins within the CoreBundle's WebDavController.php and the flawed implementation in models/Asset/WebDAV/Tree.php which directly executes asset mutation and deletion operations through models/Asset.php without prior verification of user credentials or appropriate permission checks.

The technical flaw manifests as a privilege escalation vulnerability where unauthorized users can perform destructive operations on assets within the Pimcore system. The WebDAV endpoint's MOVE operation allows for asset relocation, renaming, and potentially overwriting of existing files without proper authorization validation. This occurs because the system fails to validate whether the current user possesses the necessary permissions to rename, delete, create, or publish assets before executing these operations. The vulnerability exists at the intersection of improper authentication enforcement and insufficient authorization checks, creating a pathway for malicious actors to manipulate asset data within the platform.

The operational impact of this vulnerability is severe as it enables unauthorized deletion, movement, and overwriting of assets without any access control restrictions. Attackers can leverage this flaw to compromise the integrity of asset repositories, potentially leading to data loss, content tampering, or disruption of business operations that depend on Pimcore's asset management capabilities. The vulnerability affects the core functionality of the platform by undermining the fundamental security principles of authentication and authorization, allowing attackers to perform operations that should only be available to authenticated administrators or authorized users with appropriate privileges.

This vulnerability aligns with CWE-285 (Improper Authorization) and CWE-306 (Missing Authentication for Critical Function) as it demonstrates a lack of proper access control mechanisms for critical asset management functions. The issue also maps to ATT&CK technique T1078 (Valid Accounts) and T1499 (Endpoint Termination) as unauthorized users can exploit valid WebDAV endpoints to perform destructive operations on system assets without detection. Organizations using affected Pimcore versions face significant risk of data compromise, with the vulnerability potentially enabling attackers to systematically remove or modify critical business assets.

The fix implemented in versions 11.5.17 (LTS) and 12.3.7 addresses this by introducing proper authentication checks and authorization validation before allowing any asset mutation operations through the WebDAV endpoint. The solution ensures that user credentials are verified and appropriate permission levels are confirmed before executing any move, delete, or overwrite operations. Organizations should immediately upgrade to these patched versions to remediate the vulnerability and restore proper access controls for their Pimcore asset management systems, implementing additional monitoring of WebDAV endpoints to detect potential exploitation attempts during the transition period.

Responsible

GitHub M

Reservation

05/11/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!