CVE-2026-23494
BaseFortify
Publication date: 2026-01-15
Last updated on: 2026-01-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pimcore | pimcore | to 12.3.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23494 is a broken access control vulnerability in Pimcore's Static Routes feature. The application failed to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. This allowed authenticated backend users without explicit permissions to access sensitive static route configurations via the GET /api/static-routes endpoint. Static routes define custom URL patterns, controllers, variables, and priorities, which are sensitive internal routing metadata. The vulnerability arises from missing function-level authorization, enabling unauthorized users to retrieve this information. It was fixed in Pimcore versions 12.3.1 and 11.5.14 by enforcing stricter permission checks. [1, 4]
How can this vulnerability impact me? :
This vulnerability allows low-privileged authenticated backend users to enumerate static routes, revealing URL patterns, associated controllers, and parameter handling. This exposure can facilitate targeted attacks such as path traversal, injection via exposed variables, or discovery of hidden administrative paths. In multi-tenant environments, it could lead to unauthorized data access, workflow manipulation, or escalation to broader system compromise. Additionally, it risks intellectual property leakage of custom routing logic and increases the attack surface for chaining with other vulnerabilities. [4]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability can lead to regulatory non-compliance, including with standards like GDPR, because it exposes sensitive internal routing information that could be used to access or manipulate protected data. Unauthorized access to such configuration details increases the risk of data breaches and improper handling of personal or sensitive information, which are critical concerns under regulations like GDPR and HIPAA. [4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the API endpoint responsible for listing static routes (e.g., GET /api/static-routes) using an authenticated backend user account that lacks explicit permissions for static routes. If the request succeeds and returns static route configurations, the system is vulnerable. A practical detection method is to capture a legitimate admin request to /api/static-routes and replay it with a low-privileged backend user token to see if access is improperly granted. Specific commands depend on your environment, but using curl or similar HTTP clients to send authenticated GET requests to /api/static-routes can be used for testing. For example: curl -H "Authorization: Bearer <token>" https://<pimcore-server>/api/static-routes [4]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade Pimcore to version 12.3.1 or 11.5.14 or later, where the permission checks on the static routes API endpoint have been properly enforced. Additionally, review and restrict backend user permissions to ensure only authorized users have access to static routes. Avoid exposing sensitive API endpoints to users without explicit permissions. If upgrading immediately is not possible, consider restricting network access to the API endpoint or implementing additional access controls at the network or application firewall level to prevent unauthorized access. [1, 2, 3, 4]