Vulnerability Report

CVE-2026-23494

Title: Missing Authorization in Pimcore

Information Disclosure

Proof Of Concept

No public PoC currently indexed for CVE-2026-23494.

CWE Category CWE-284

Published Date Jan 15, 2026

Modified Date Jan 20, 2026

Exploit Status Not Found

Score 4.3 CVSS v3.1

Exploit Probability (EPSS)

0.00%

Vulnerability Summary

CVE-2026-23494: Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. These routes are registered automatically through the PimcoreStaticRoutesBundle and integrated into the MVC routing system. Testing revealed that an authenticated backend user lacking explicit permissions was able to invoke the endpoint (e.g., GET /api/static-routes) and retrieve sensitive route configurations. This vulnerability is fixed in 12.3.1 and 11.5.14.

Impacted Vendors

pimcore 1

Reference Links

https://github.com/pimcore/pimcore/pull/18893 https://github.com/pimcore/pimcore/releases/tag/v11.5.14 https://github.com/pimcore/pimcore/releases/tag/v12.3.1 https://github.com/pimcore/pimcore/security/advisories/GHSA-m3r2-724c-pwgf

CVSS v3.1

Source Entity [email protected]

Severity MEDIUM

6.5

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N