GHSA-HQRP-M84V-2M2F

Vulnerability from github – Published: 2026-01-15 18:13 – Updated: 2026-01-15 20:17
VLAI?
Summary
Pimcore's Admin Classic Bundle is Missing Function Level Authorization on "Predefined Properties" Listing
Details

Summary

The API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore's official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. This exemplifies Broken Access Control (OWASP Top 10 A01:2021), enabling unauthorized access to administrative features and potentially violating role-based access controls inherent to Pimcore's multi-user environment.

Details

The backend user without permission was still able to list "Predefined Properties" item

Step to Reproduce the issue

login as Admin (full permission) and clicked "Predefined Properties" Screenshot 2025-12-10 at 10 11 31 PM

Then, captured and saved the request: - List API Screenshot 2025-12-10 at 10 39 53 PM

Next, login a backend user with no permission Screenshot 2025-12-10 at 9 06 12 PM

The copy the "Cookie" and "X-Pimcore-Csrf-Token" Screenshot 2025-12-10 at 9 10 47 PM

After that, pasted the copied "Cookie" and "X-Pimcore-Csrf-Token" to captured request

-List API Uploading Screenshot 2025-12-10 at 10.55.23 PM.png…

Impact

Exploitation allows low-privileged users to enumerate all Predefined Properties, exposing internal metadata schemas, default values, and configuration details that may reveal business logic, data classification strategies, or sensitive defaults (e.g., proprietary keys or select options). In a PIM system like Pimcore, this could facilitate reconnaissance for further attacks, such as targeted data manipulation or privilege escalation, leading to unauthorized alterations of asset/object properties. For organizations handling regulated content (e.g., e-commerce catalogs under GDPR or PCI DSS), such exposure risks compliance breaches, intellectual property leakage, and operational inconsistencies from unintended property overrides.

Severity ?
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.2.2"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "pimcore/admin-ui-classic-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-RC1"
            },
            {
              "fixed": "2.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.7.15"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "pimcore/admin-ui-classic-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-23495"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-15T18:13:26Z",
    "nvd_published_at": "2026-01-15T17:16:08Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore\u0027s official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. This exemplifies Broken Access Control (OWASP Top 10 A01:2021), enabling unauthorized access to administrative features and potentially violating role-based access controls inherent to Pimcore\u0027s multi-user environment.\n\n### Details\nThe backend user without permission was still able to list \"Predefined Properties\" item\n\n### Step to Reproduce the issue \nlogin as Admin (full permission) and clicked \"Predefined Properties\"\n\u003cimg width=\"1493\" height=\"862\" alt=\"Screenshot 2025-12-10 at 10 11 31\u202fPM\" src=\"https://github.com/user-attachments/assets/005d2704-347c-4aa1-b415-d52ab3794c99\" /\u003e\n\nThen, captured and saved the request:\n- List API\n\u003cimg width=\"922\" height=\"797\" alt=\"Screenshot 2025-12-10 at 10 39 53\u202fPM\" src=\"https://github.com/user-attachments/assets/2ee3e0e1-06da-442f-b2c7-0dfa8360c04a\" /\u003e\n\n\nNext, login a backend user with no permission\n\u003cimg width=\"1219\" height=\"744\" alt=\"Screenshot 2025-12-10 at 9 06 12\u202fPM\" src=\"https://github.com/user-attachments/assets/1dada4c4-d907-4477-9773-70dea3ef5816\" /\u003e\n\nThe copy the \"Cookie\" and \"X-Pimcore-Csrf-Token\"\n\u003cimg width=\"1902\" height=\"971\" alt=\"Screenshot 2025-12-10 at 9 10 47\u202fPM\" src=\"https://github.com/user-attachments/assets/63221682-fa14-429b-8665-fc9dd8bed890\" /\u003e\n\nAfter that, pasted the copied \"Cookie\" and \"X-Pimcore-Csrf-Token\" to captured request\n\n-List API\n![Uploading Screenshot 2025-12-10 at 10.55.23\u202fPM.png\u2026]()\n\n\n### Impact\nExploitation allows low-privileged users to enumerate all Predefined Properties, exposing internal metadata schemas, default values, and configuration details that may reveal business logic, data classification strategies, or sensitive defaults (e.g., proprietary keys or select options). In a PIM system like Pimcore, this could facilitate reconnaissance for further attacks, such as targeted data manipulation or privilege escalation, leading to unauthorized alterations of asset/object properties. For organizations handling regulated content (e.g., e-commerce catalogs under GDPR or PCI DSS), such exposure risks compliance breaches, intellectual property leakage, and operational inconsistencies from unintended property overrides.",
  "id": "GHSA-hqrp-m84v-2m2f",
  "modified": "2026-01-15T20:17:53Z",
  "published": "2026-01-15T18:13:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-hqrp-m84v-2m2f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23495"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/admin-ui-classic-bundle/commit/98095949fbeaf11cdf4cadb2989d7454e1b88909"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.7.16"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v2.2.3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pimcore/pimcore"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pimcore\u0027s Admin Classic Bundle is Missing Function Level Authorization on \"Predefined Properties\" Listing"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.