CVE-2026-45704 in Pimcore
Summary
by MITRE • 07/17/2026
Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.6, CustomReports uses inconsistent authorization between the report listing endpoint and the report detail endpoint in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php and bundles/CustomReportsBundle/src/Tool/Config/Listing/Dao.php, allowing a low-privileged backend user with the reports permission to directly request an unshared report such as poc-secret-report by name and read report name, grouping information, display and icon metadata, data source configuration, column configuration, and sharing settings even when shareGlobally is false. This issue is fixed in versions 11.5.17 (LTS) and 12.3.6.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/17/2026
The vulnerability described affects Pimcore's CustomReports functionality where inconsistent authorization controls exist between report listing and detail endpoints, creating a privilege escalation risk for low-privileged backend users. This security flaw resides in the bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php and bundles/CustomReportsBundle/src/Tool/Config/Listing/Dao.php files, where the system fails to properly enforce access controls when retrieving report metadata. The issue allows authenticated users with only basic reports permission to bypass normal sharing restrictions and directly access unshared reports by name, undermining the platform's intended access control mechanisms.
The technical implementation flaw stems from a mismatch in authorization logic where the listing endpoint properly filters reports based on user permissions while the detail endpoint does not perform adequate access validation before returning sensitive report metadata. This inconsistency creates a path where users can craft direct requests to specific report endpoints using known report names such as poc-secret-report, thereby gaining visibility into report configurations including grouping information, display settings, icon metadata, data source specifications, column arrangements, and sharing parameters even when the shareGlobally flag is set to false. The vulnerability represents a classic case of insufficient authorization checks in web applications.
From an operational perspective, this vulnerability significantly impacts data confidentiality and access control integrity within Pimcore environments. Low-privileged users who should only have access to reports they explicitly created or were shared with can now extract detailed metadata about other users' reports, potentially exposing sensitive business intelligence, data structures, and reporting configurations. The impact extends beyond simple information disclosure as the vulnerability could enable attackers to understand report relationships, data sources, and organizational reporting patterns that might inform further attacks. This aligns with CWE-284 Access Control Issues, specifically focusing on improper access control mechanisms in web applications.
The security implications of this vulnerability are particularly concerning for organizations that rely on Pimcore's CustomReports for sensitive business operations where reports may contain proprietary information or confidential data analysis. Attackers could leverage this weakness to map out the reporting landscape of an organization, identify critical data sources, and potentially discover other vulnerabilities through the metadata exposure. The fix implemented in versions 11.5.17 (LTS) and 12.3.6 demonstrates the importance of consistent authorization enforcement across all API endpoints and user interfaces within web applications.
Organizations using Pimcore should immediately upgrade to the patched versions to remediate this vulnerability, as it represents a significant risk to data governance and access control policies. The mitigation strategy involves ensuring that all report detail endpoints perform proper access validation regardless of whether the report is shared globally or not, implementing consistent authorization checks across all API interfaces, and regularly auditing access control mechanisms for similar inconsistencies. This vulnerability highlights the critical importance of maintaining consistent security controls throughout application architectures and aligns with ATT&CK technique T1078 Valid Accounts, where attackers might exploit weak access controls to gain unauthorized visibility into system resources.