Improper Access Control in Pimcore's WordExport Feature
CVE-2026-45703

6.4MEDIUM

Key Information:

Vendor

Pimcore

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-45703?

Pimcore, an Open Source Data & Experience Management Platform, suffers from an improper access control vulnerability in its WordExport feature. Before versions 11.5.17 (LTS) and 12.3.7, the system's TranslationController.php file only verifies the word_export feature permission. It allows low-privileged backend users to export document content that they do not have permission to view by directly processing attacker-controlled input. This flaw can lead to unauthorized access to sensitive content, making it imperative for users to upgrade to the latest versions to ensure their systems are secure.

Affected Version(s)

pimcore < 11.5.17 < 11.5.17

pimcore >= 12.0.0, < 12.3.7 < 12.0.0, 12.3.7

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.