CVE-2026-23495Improper Access Control in Pimcore

CWE-284Improper Access Control5 documents5 sources
Severity
4.3MEDIUMNVD
EPSS
0.0%
top 99.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
PimcorePimcore Admin Classic BundlePimcore Admin-ui-classic-bundle
Timeline
PublishedJan 15

Description

Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore's official properties guide. Testing confirmed tha

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

NVDpimcore/admin_classic_bundle2.0.02.2.3+1
Packagistpimcore/admin-ui-classic-bundle2.0.0-RC12.2.3+1
CVEListV5pimcore/pimcore< 1.7.16+1

Patches

Patch: github.com

🔴Vulnerability Details

3
CVEList
Pimcore's Admin Classic Bundle is Missing Function Level Authorization on "Predefined Properties" Listing2026-01-15
OSV
Pimcore's Admin Classic Bundle is Missing Function Level Authorization on "Predefined Properties" Listing2026-01-15
GHSA
Pimcore's Admin Classic Bundle is Missing Function Level Authorization on "Predefined Properties" Listing2026-01-15

🕵️Threat Intelligence

1
Wiz
CVE-2026-23495 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-23495 — Improper Access Control in Pimcore | cvebase