CVE-2026-23495 (GCVE-0-2026-23495)
Vulnerability from cvelistv5 – Published: 2026-01-15 16:47 – Updated: 2026-01-15 17:09
VLAI?
Title
Pimcore's Admin Classic Bundle is Missing Function Level Authorization on "Predefined Properties" Listing
Summary
Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore's official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. The vulnerability is fixed in 2.2.3 and 1.7.16.
Severity ?
4.3 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23495",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-15T17:08:56.115694Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T17:09:32.298Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pimcore",
"vendor": "pimcore",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0-RC1, \u003c 2.2.3"
},
{
"status": "affected",
"version": "\u003c 1.7.16"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pimcore\u0027s Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore\u0027s official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. The vulnerability is fixed in 2.2.3 and 1.7.16."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T16:47:07.114Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-hqrp-m84v-2m2f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-hqrp-m84v-2m2f"
},
{
"name": "https://github.com/pimcore/admin-ui-classic-bundle/commit/98095949fbeaf11cdf4cadb2989d7454e1b88909",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pimcore/admin-ui-classic-bundle/commit/98095949fbeaf11cdf4cadb2989d7454e1b88909"
},
{
"name": "https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.7.16",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.7.16"
},
{
"name": "https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v2.2.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v2.2.3"
}
],
"source": {
"advisory": "GHSA-hqrp-m84v-2m2f",
"discovery": "UNKNOWN"
},
"title": "Pimcore\u0027s Admin Classic Bundle is Missing Function Level Authorization on \"Predefined Properties\" Listing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23495",
"datePublished": "2026-01-15T16:47:07.114Z",
"dateReserved": "2026-01-13T15:47:41.629Z",
"dateUpdated": "2026-01-15T17:09:32.298Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-23495\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-01-15T17:16:08.597\",\"lastModified\":\"2026-01-16T15:55:12.257\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Pimcore\u0027s Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore\u0027s official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. The vulnerability is fixed in 2.2.3 and 1.7.16.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]}],\"references\":[{\"url\":\"https://github.com/pimcore/admin-ui-classic-bundle/commit/98095949fbeaf11cdf4cadb2989d7454e1b88909\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.7.16\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v2.2.3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/pimcore/pimcore/security/advisories/GHSA-hqrp-m84v-2m2f\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-23495\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-15T17:08:56.115694Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-15T17:09:13.047Z\"}}], \"cna\": {\"title\": \"Pimcore\u0027s Admin Classic Bundle is Missing Function Level Authorization on \\\"Predefined Properties\\\" Listing\", \"source\": {\"advisory\": \"GHSA-hqrp-m84v-2m2f\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"pimcore\", \"product\": \"pimcore\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.0.0-RC1, \u003c 2.2.3\"}, {\"status\": \"affected\", \"version\": \"\u003c 1.7.16\"}]}], \"references\": [{\"url\": \"https://github.com/pimcore/pimcore/security/advisories/GHSA-hqrp-m84v-2m2f\", \"name\": \"https://github.com/pimcore/pimcore/security/advisories/GHSA-hqrp-m84v-2m2f\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/pimcore/admin-ui-classic-bundle/commit/98095949fbeaf11cdf4cadb2989d7454e1b88909\", \"name\": \"https://github.com/pimcore/admin-ui-classic-bundle/commit/98095949fbeaf11cdf4cadb2989d7454e1b88909\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.7.16\", \"name\": \"https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.7.16\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v2.2.3\", \"name\": \"https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v2.2.3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Pimcore\u0027s Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore\u0027s official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. The vulnerability is fixed in 2.2.3 and 1.7.16.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284: Improper Access Control\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-01-15T16:47:07.114Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-23495\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-15T17:09:32.298Z\", \"dateReserved\": \"2026-01-13T15:47:41.629Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-01-15T16:47:07.114Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
GHSA-HQRP-M84V-2M2F
Vulnerability from github – Published: 2026-01-15 18:13 – Updated: 2026-01-15 20:17
VLAI?
Summary
Pimcore's Admin Classic Bundle is Missing Function Level Authorization on "Predefined Properties" Listing
Details
Summary
The API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore's official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. This exemplifies Broken Access Control (OWASP Top 10 A01:2021), enabling unauthorized access to administrative features and potentially violating role-based access controls inherent to Pimcore's multi-user environment.
Details
The backend user without permission was still able to list "Predefined Properties" item
Step to Reproduce the issue
login as Admin (full permission) and clicked "Predefined Properties"
Then, captured and saved the request:
- List API
Next, login a backend user with no permission
The copy the "Cookie" and "X-Pimcore-Csrf-Token"
After that, pasted the copied "Cookie" and "X-Pimcore-Csrf-Token" to captured request
-List API
Impact
Exploitation allows low-privileged users to enumerate all Predefined Properties, exposing internal metadata schemas, default values, and configuration details that may reveal business logic, data classification strategies, or sensitive defaults (e.g., proprietary keys or select options). In a PIM system like Pimcore, this could facilitate reconnaissance for further attacks, such as targeted data manipulation or privilege escalation, leading to unauthorized alterations of asset/object properties. For organizations handling regulated content (e.g., e-commerce catalogs under GDPR or PCI DSS), such exposure risks compliance breaches, intellectual property leakage, and operational inconsistencies from unintended property overrides.
Severity ?
4.3 (Medium)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.2.2"
},
"package": {
"ecosystem": "Packagist",
"name": "pimcore/admin-ui-classic-bundle"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0-RC1"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.7.15"
},
"package": {
"ecosystem": "Packagist",
"name": "pimcore/admin-ui-classic-bundle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-23495"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-15T18:13:26Z",
"nvd_published_at": "2026-01-15T17:16:08Z",
"severity": "MODERATE"
},
"details": "### Summary\nThe API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore\u0027s official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. This exemplifies Broken Access Control (OWASP Top 10 A01:2021), enabling unauthorized access to administrative features and potentially violating role-based access controls inherent to Pimcore\u0027s multi-user environment.\n\n### Details\nThe backend user without permission was still able to list \"Predefined Properties\" item\n\n### Step to Reproduce the issue \nlogin as Admin (full permission) and clicked \"Predefined Properties\"\n\u003cimg width=\"1493\" height=\"862\" alt=\"Screenshot 2025-12-10 at 10 11 31\u202fPM\" src=\"https://github.com/user-attachments/assets/005d2704-347c-4aa1-b415-d52ab3794c99\" /\u003e\n\nThen, captured and saved the request:\n- List API\n\u003cimg width=\"922\" height=\"797\" alt=\"Screenshot 2025-12-10 at 10 39 53\u202fPM\" src=\"https://github.com/user-attachments/assets/2ee3e0e1-06da-442f-b2c7-0dfa8360c04a\" /\u003e\n\n\nNext, login a backend user with no permission\n\u003cimg width=\"1219\" height=\"744\" alt=\"Screenshot 2025-12-10 at 9 06 12\u202fPM\" src=\"https://github.com/user-attachments/assets/1dada4c4-d907-4477-9773-70dea3ef5816\" /\u003e\n\nThe copy the \"Cookie\" and \"X-Pimcore-Csrf-Token\"\n\u003cimg width=\"1902\" height=\"971\" alt=\"Screenshot 2025-12-10 at 9 10 47\u202fPM\" src=\"https://github.com/user-attachments/assets/63221682-fa14-429b-8665-fc9dd8bed890\" /\u003e\n\nAfter that, pasted the copied \"Cookie\" and \"X-Pimcore-Csrf-Token\" to captured request\n\n-List API\n![Uploading Screenshot 2025-12-10 at 10.55.23\u202fPM.png\u2026]()\n\n\n### Impact\nExploitation allows low-privileged users to enumerate all Predefined Properties, exposing internal metadata schemas, default values, and configuration details that may reveal business logic, data classification strategies, or sensitive defaults (e.g., proprietary keys or select options). In a PIM system like Pimcore, this could facilitate reconnaissance for further attacks, such as targeted data manipulation or privilege escalation, leading to unauthorized alterations of asset/object properties. For organizations handling regulated content (e.g., e-commerce catalogs under GDPR or PCI DSS), such exposure risks compliance breaches, intellectual property leakage, and operational inconsistencies from unintended property overrides.",
"id": "GHSA-hqrp-m84v-2m2f",
"modified": "2026-01-15T20:17:53Z",
"published": "2026-01-15T18:13:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-hqrp-m84v-2m2f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23495"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/admin-ui-classic-bundle/commit/98095949fbeaf11cdf4cadb2989d7454e1b88909"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.7.16"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v2.2.3"
},
{
"type": "PACKAGE",
"url": "https://github.com/pimcore/pimcore"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Pimcore\u0027s Admin Classic Bundle is Missing Function Level Authorization on \"Predefined Properties\" Listing"
}
FKIE_CVE-2026-23495
Vulnerability from fkie_nvd - Published: 2026-01-15 17:16 - Updated: 2026-01-16 15:55
Severity ?
Summary
Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore's official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. The vulnerability is fixed in 2.2.3 and 1.7.16.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pimcore\u0027s Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore\u0027s official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. The vulnerability is fixed in 2.2.3 and 1.7.16."
}
],
"id": "CVE-2026-23495",
"lastModified": "2026-01-16T15:55:12.257",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-01-15T17:16:08.597",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/pimcore/admin-ui-classic-bundle/commit/98095949fbeaf11cdf4cadb2989d7454e1b88909"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.7.16"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v2.2.3"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-hqrp-m84v-2m2f"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Undergoing Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…