GHSA-4WG4-P27P-5Q2R
Vulnerability from github – Published: 2026-01-15 18:14 – Updated: 2026-01-15 20:18Summary
The application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Output Channel Configurations." Testing revealed that an authenticated backend user without explicitely lacking permissions for this feature was still able to successfully invoke the endpoint and modify or retrieve these configurations. This violates the principle of least privilege and constitutes a classic example of Broken Access Control (OWASP Top 10 A01:2021). Because authorization is not validated at the function level, any authenticated user can perform actions intended only for privileged roles, leading to horizontal or vertical privilege escalation.
Detail
The backend user without permission was still able to list, create, update "Favourite Output Channel Configuration" item
Step to Reproduce the issue
login as Admin (full permission) and clicked "Favourite Output Channel Configurations"
Then, captured and saved the request:
-List API
-Create API
-Update API
Next, login a backend user with no permission
The copy the "Cookie" and "X-Pimcore-Csrf-Token"
After that, pasted the copied "Cookie" and "X-Pimcore-Csrf-Token" to captured request
- List API
- Create API
- Update API
Impact
Successful exploitation allows low-privileged or standard users to view, create, modify that should be restricted to specific administrative or operational roles. Depending on the sensitivity of these configurations (e.g., routing of alerts, reports, or data streams), an attacker could redirect critical outputs, suppress notifications, insert misleading channels, or gain insight into internal workflows. In regulated environments, this may result in compliance violations, operational disruption, or facilitation of further attacks through reconnaissance.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.1"
},
"package": {
"ecosystem": "Packagist",
"name": "pimcore/web2print-tools-bundle"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0-RC1"
},
{
"fixed": "6.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.2.1"
},
"package": {
"ecosystem": "Packagist",
"name": "pimcore/web2print-tools-bundle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-23496"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-15T18:14:17Z",
"nvd_published_at": "2026-01-15T17:16:08Z",
"severity": "MODERATE"
},
"details": "### Summary\nThe application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing \"Favourite Output Channel Configurations.\" Testing revealed that an authenticated backend user without explicitely lacking permissions for this feature was still able to successfully invoke the endpoint and modify or retrieve these configurations. This violates the principle of least privilege and constitutes a classic example of Broken Access Control (OWASP Top 10 A01:2021). Because authorization is not validated at the function level, any authenticated user can perform actions intended only for privileged roles, leading to horizontal or vertical privilege escalation.\n\n### Detail\nThe backend user without permission was still able to list, create, update \"Favourite Output Channel Configuration\" item\n\n### Step to Reproduce the issue\nlogin as Admin (full permission) and clicked \"Favourite Output Channel Configurations\"\n\u003cimg width=\"949\" height=\"860\" alt=\"Screenshot 2025-12-10 at 8 52 55\u202fPM\" src=\"https://github.com/user-attachments/assets/86554e7e-86c1-469f-b09b-5f360c4507dd\" /\u003e\nThen, captured and saved the request:\n-List API\n\u003cimg width=\"923\" height=\"662\" alt=\"Screenshot 2025-12-10 at 8 55 49\u202fPM\" src=\"https://github.com/user-attachments/assets/21d90540-7a6b-4555-bbc0-ce74284dda67\" /\u003e\n-Create API\n\u003cimg width=\"1245\" height=\"783\" alt=\"Screenshot 2025-12-10 at 9 01 46\u202fPM\" src=\"https://github.com/user-attachments/assets/38b5a771-ad17-459b-84e1-fe83c6d609a1\" /\u003e\n-Update API\n\u003cimg width=\"1244\" height=\"726\" alt=\"Screenshot 2025-12-10 at 9 03 00\u202fPM\" src=\"https://github.com/user-attachments/assets/2167d48e-8941-4fff-be07-3050ffa7ad35\" /\u003e\n\nNext, login a backend user with no permission\n\u003cimg width=\"1219\" height=\"744\" alt=\"Screenshot 2025-12-10 at 9 06 12\u202fPM\" src=\"https://github.com/user-attachments/assets/6b3981bc-4fe0-4c6e-8a5b-24523679ad4c\" /\u003e\nThe copy the \"Cookie\" and \"X-Pimcore-Csrf-Token\"\n\u003cimg width=\"1902\" height=\"971\" alt=\"Screenshot 2025-12-10 at 9 10 47\u202fPM\" src=\"https://github.com/user-attachments/assets/4f48f27a-6149-49fb-9209-220c2e62c25f\" /\u003e\nAfter that, pasted the copied \"Cookie\" and \"X-Pimcore-Csrf-Token\" to captured request\n- List API\n\u003cimg width=\"1135\" height=\"660\" alt=\"Screenshot 2025-12-10 at 9 14 47\u202fPM\" src=\"https://github.com/user-attachments/assets/32ebdad2-771a-41dd-a4e6-13e8cb8ef201\" /\u003e\n- Create API\n\u003cimg width=\"1140\" height=\"697\" alt=\"Screenshot 2025-12-10 at 9 16 43\u202fPM\" src=\"https://github.com/user-attachments/assets/25d5b7a9-5e96-4e7c-94cf-3c9c3d31e7f1\" /\u003e\n- Update API\n\u003cimg width=\"1144\" height=\"722\" alt=\"Screenshot 2025-12-10 at 9 19 00\u202fPM\" src=\"https://github.com/user-attachments/assets/02440595-2e10-44a8-9fb7-8eb8f0aab12a\" /\u003e\n\n\n### Impact\nSuccessful exploitation allows low-privileged or standard users to view, create, modify that should be restricted to specific administrative or operational roles. Depending on the sensitivity of these configurations (e.g., routing of alerts, reports, or data streams), an attacker could redirect critical outputs, suppress notifications, insert misleading channels, or gain insight into internal workflows. In regulated environments, this may result in compliance violations, operational disruption, or facilitation of further attacks through reconnaissance.",
"id": "GHSA-4wg4-p27p-5q2r",
"modified": "2026-01-15T20:18:09Z",
"published": "2026-01-15T18:14:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-4wg4-p27p-5q2r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23496"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/web2print-tools/pull/108"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/web2print-tools/commit/7714452a04b9f9b077752784af4b8d0b05e464a1"
},
{
"type": "PACKAGE",
"url": "https://github.com/pimcore/pimcore"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/web2print-tools/releases/tag/v5.2.2"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/web2print-tools/releases/tag/v6.1.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Pimcore Web2Print Tools Bundle \"Favourite Output Channel Configuration\" Missing Function Level Authorization"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.