Authorization Flaw in Pimcore Data & Experience Management Platform
CVE-2026-45704

7.1HIGH

Key Information:

Vendor

Pimcore

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-45704?

A vulnerability in the Pimcore Data & Experience Management Platform allows a low-privileged backend user, granted reports permission, to access unshared report details through inconsistent authorization measures between the report listing and report detail endpoints. This flaw can enable users to request sensitive report metadata even when sharing is disabled, creating potential exposure of information that should remain confidential. The issue has been addressed in versions 11.5.17 (LTS) and 12.3.6.

Affected Version(s)

pimcore < 11.5.17 < 11.5.17

pimcore >= 12.0.0, < 12.3.6 < 12.0.0, 12.3.6

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.