SB2026061535 - Multiple vulnerabilities in Pimcore
Published: June 15, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Missing Authorization (CVE-ID: CVE-2026-45260)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to missing authorization in WebDAV MOVE handling in the Asset\WebDAV\Tree::move() implementation when processing crafted WebDAV MOVE requests to /asset/webdav{path}. A remote user can send a specially crafted MOVE request to cause a denial of service.
In the same-directory overwrite path, the source asset can be deleted before any current Pimcore user is resolved or per-asset permissions are enforced.
2) SQL injection (CVE-ID: CVE-2026-5394)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify database schema and cause a denial of service.
The vulnerability exists due to SQL injection in DataObject composite index handling when importing or saving class definitions with crafted composite index metadata. A remote user can supply crafted compositeIndices values to modify database schema and cause a denial of service.
Exploitation requires the ability to import or save DataObject class definitions through the administrative workflow.
3) SQL injection (CVE-ID: CVE-2026-44739)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to disclose sensitive information and modify database contents.
The vulnerability exists due to SQL injection in the columnConfigAction endpoint in the CustomReportsBundle when processing a user-supplied report configuration. A remote user can send a specially crafted request containing malicious SQL fragments to disclose sensitive information and modify database contents.
User interaction is required, and exploitation is limited to accounts with the reports_config permission.
4) Deserialization of Untrusted Data (CVE-ID: CVE-2026-45162)
CWE-ID: CWE-502 - Deserialization of Untrusted Data
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to deserialization of untrusted data in multiple unserialize() call sites in Pimcore when processing serialized data from database columns or filesystem files. A remote privileged user can inject a serialized PHP gadget chain into a controllable data source to execute arbitrary code.
Exploitation requires control over a referenced database or filesystem data source through a separate write primitive, such as SQL injection or a file write vulnerability.
5) Improper access control (CVE-ID: CVE-2026-45703)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the WordExport TranslationController export flow when handling attacker-controlled type/id input for document export. A remote user can request export of a target element without view permission to disclose sensitive information.
For page-like documents, content is rendered in an admin context, which may expose additional backend-visible content.
6) Improper access control (CVE-ID: CVE-2026-45704)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the CustomReports report detail endpoint when handling direct requests for report configurations by name. A remote user can send a crafted request for an unshared report name to disclose sensitive information.
The issue occurs because report listing applies sharing rules while direct report retrieval checks only generic report permissions. The reproduced impact is unauthorized retrieval of report configuration metadata, and similar name-based report resolution paths were noted for other report endpoints but were not verified in this report.
Remediation
Install update from vendor's website.
References
- https://github.com/pimcore/pimcore/security/advisories/GHSA-wc7j-g8wx-m2qx
- https://github.com/pimcore/pimcore/security/advisories/GHSA-r2f4-ff2p-xc64
- https://fluidattacks.com/advisories/dragons
- https://github.com/pimcore/pimcore/security/advisories/GHSA-3234-gxc3-pq6f
- https://github.com/pimcore/pimcore/security/advisories/GHSA-36fc-7wjg-mfvj
- https://github.com/pimcore/pimcore/security/advisories/GHSA-332x-r494-54fq
- https://github.com/pimcore/pimcore/security/advisories
- https://github.com/pimcore/pimcore/security/advisories/GHSA-jwcc-gv4m-93x6