Improper access control in Pimcore - CVE-2020-26246

 

Improper access control in Pimcore - CVE-2020-26246

Published: November 30, 2020 / Updated: June 12, 2026


Vulnerability identifier: #VU134422
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-26246
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Pimcore
Affected software:
Pimcore

Detailed vulnerability description

The vulnerability allows a remote user to modify website settings, redirects, and asset metadata without appropriate permissions.

The vulnerability exists due to improper access control in website settings, redirects, and asset metadata management functionality when handling modification and creation requests. A remote user can send crafted requests to modify website settings, redirects, and asset metadata without appropriate permissions.


How to mitigate CVE-2020-26246

Install security update from vendor's website.

Sources