Authorization Flaw in Pimcore Data & Experience Management Platform
CVE-2026-45704
7.1HIGH
What is CVE-2026-45704?
A vulnerability in the Pimcore Data & Experience Management Platform allows a low-privileged backend user, granted reports permission, to access unshared report details through inconsistent authorization measures between the report listing and report detail endpoints. This flaw can enable users to request sensitive report metadata even when sharing is disabled, creating potential exposure of information that should remain confidential. The issue has been addressed in versions 11.5.17 (LTS) and 12.3.6.
Affected Version(s)
pimcore < 11.5.17 < 11.5.17
pimcore >= 12.0.0, < 12.3.6 < 12.0.0, 12.3.6