Improper access control in Pimcore - CVE-2026-45704
Published: June 15, 2026
Vulnerability identifier: #VU134522
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-45704
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Pimcore
Affected software:
Pimcore
Pimcore
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the CustomReports report detail endpoint when handling direct requests for report configurations by name. A remote user can send a crafted request for an unshared report name to disclose sensitive information.
The issue occurs because report listing applies sharing rules while direct report retrieval checks only generic report permissions. The reproduced impact is unauthorized retrieval of report configuration metadata, and similar name-based report resolution paths were noted for other report endpoints but were not verified in this report.
How to mitigate CVE-2026-45704
Install security update from vendor's website.