6.5

CVE-2026-23494

Exploit

Pimcore is Missing Function Level Authorization on "Static Routes" Listing

Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. These routes are registered automatically through the PimcoreStaticRoutesBundle and integrated into the MVC routing system. Testing revealed that an authenticated backend user lacking explicit permissions was able to invoke the endpoint (e.g., GET /api/static-routes) and retrieve sensitive route configurations. This vulnerability is fixed in 12.3.1 and 11.5.14.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PimcorePimcore Version < 11.5.14
PimcorePimcore Version >= 12.0.0 < 12.3.1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.32% 0.234
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://github.com/pimcore/pimcore/releases/tag/v11.5.14
Release Notes
https://github.com/pimcore/pimcore/releases/tag/v12.3.1
Release Notes
https://github.com/pimcore/pimcore/pull/18893
Issue Tracking
https://github.com/pimcore/pimcore/security/advisories/GHSA-m3r2-724c-pwgf
Vendor Advisory
Exploit