Executive Summary

CVE-2026-23495 is a Broken Access Control vulnerability in Pimcore's Admin Classic Bundle. The API endpoint that lists Predefined Properties—configurable metadata definitions used across documents, assets, and objects—lacks proper server-side authorization checks. This means that an authenticated backend user without explicit permissions for property management can still access and retrieve the full list of these Predefined Properties. This exposure includes metadata schemas, default values, and configuration details that should be restricted. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthorized backend users to enumerate internal metadata configurations, potentially exposing sensitive business logic, data classification strategies, proprietary keys, or select options. Such exposure can facilitate further attacks like targeted data manipulation or privilege escalation, risking unauthorized changes to asset or object properties. It may also lead to intellectual property leakage and operational inconsistencies within the affected organization. [1]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability poses compliance risks for organizations handling regulated content under standards like GDPR or PCI DSS because unauthorized access to metadata configurations can lead to exposure of sensitive or regulated information. This exposure may result in violations of data protection and privacy requirements, potentially leading to legal and regulatory consequences. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the API endpoint responsible for listing Predefined Properties using an authenticated backend user account that lacks explicit permissions for property management. One approach is to log in as an admin to capture the API request for listing Predefined Properties, including authentication tokens such as Cookie and X-Pimcore-Csrf-Token. Then, use these tokens with a backend user without the required permissions to call the same API endpoint. If the user can retrieve the full list of Predefined Properties, the system is vulnerable. Specific commands would involve using tools like curl or Postman to send HTTP requests to the API endpoint with the captured authentication headers to verify unauthorized access. [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the Pimcore admin-ui-classic-bundle to version 2.2.3 or later (for the 2.x branch) or 1.7.16 or later (for the 1.x branch), where the vulnerability has been fixed. The fix involves proper server-side authorization checks on the API endpoint for listing Predefined Properties, ensuring that only users with explicit permissions can access this data. Until the upgrade is applied, restrict backend user permissions to prevent unauthorized users from accessing the vulnerable API endpoint. [1, 2, 3, 4]

Useful 0 Not Useful 0