Executive Summary

CVE-2026-23494 is a broken access control vulnerability in Pimcore's Static Routes feature. The application failed to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. This allowed authenticated backend users without explicit permissions to access sensitive static route configurations via the GET /api/static-routes endpoint. Static routes define custom URL patterns, controllers, variables, and priorities, which are sensitive internal routing metadata. The vulnerability arises from missing function-level authorization, enabling unauthorized users to retrieve this information. It was fixed in Pimcore versions 12.3.1 and 11.5.14 by enforcing stricter permission checks. [1, 4]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows low-privileged authenticated backend users to enumerate static routes, revealing URL patterns, associated controllers, and parameter handling. This exposure can facilitate targeted attacks such as path traversal, injection via exposed variables, or discovery of hidden administrative paths. In multi-tenant environments, it could lead to unauthorized data access, workflow manipulation, or escalation to broader system compromise. Additionally, it risks intellectual property leakage of custom routing logic and increases the attack surface for chaining with other vulnerabilities. [4]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability can lead to regulatory non-compliance, including with standards like GDPR, because it exposes sensitive internal routing information that could be used to access or manipulate protected data. Unauthorized access to such configuration details increases the risk of data breaches and improper handling of personal or sensitive information, which are critical concerns under regulations like GDPR and HIPAA. [4]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the API endpoint responsible for listing static routes (e.g., GET /api/static-routes) using an authenticated backend user account that lacks explicit permissions for static routes. If the request succeeds and returns static route configurations, the system is vulnerable. A practical detection method is to capture a legitimate admin request to /api/static-routes and replay it with a low-privileged backend user token to see if access is improperly granted. Specific commands depend on your environment, but using curl or similar HTTP clients to send authenticated GET requests to /api/static-routes can be used for testing. For example: curl -H "Authorization: Bearer <token>" https://<pimcore-server>/api/static-routes [4]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade Pimcore to version 12.3.1 or 11.5.14 or later, where the permission checks on the static routes API endpoint have been properly enforced. Additionally, review and restrict backend user permissions to ensure only authorized users have access to static routes. Avoid exposing sensitive API endpoints to users without explicit permissions. If upgrading immediately is not possible, consider restricting network access to the API endpoint or implementing additional access controls at the network or application firewall level to prevent unauthorized access. [1, 2, 3, 4]

Useful 0 Not Useful 0