CVE-2026-23495

Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore's official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. The vulnerability is fixed in 2.2.3 and 1.7.16.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/pimcore/admin-ui-classic-bundle/commit/98095949fbeaf11cdf4cadb2989d7454e1b88909	Patch
https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.7.16	Release Notes
https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v2.2.3	Release Notes
https://github.com/pimcore/pimcore/security/advisories/GHSA-hqrp-m84v-2m2f	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:pimcore:admin_classic_bundle::::::pimcore::*
	cpe:2.3:a:pimcore:admin_classic_bundle::::::pimcore::*

History

No history.

Information

Published : 2026-01-15 17:16

Updated : 2026-01-30 19:51

NVD link : CVE-2026-23495

Mitre link : CVE-2026-23495

CVE.ORG link : CVE-2026-23495

JSON object : View

Products Affected

pimcore

admin_classic_bundle

CWE

CWE-284

Improper Access Control

{"id": "CVE-2026-23495", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2026-01-15T17:16:08.597", "references": [{"url": "https://github.com/pimcore/admin-ui-classic-bundle/commit/98095949fbeaf11cdf4cadb2989d7454e1b88909", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.7.16", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v2.2.3", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-hqrp-m84v-2m2f", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore's official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. The vulnerability is fixed in 2.2.3 and 1.7.16."}], "lastModified": "2026-01-30T19:51:59.950", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pimcore:admin_classic_bundle:*:*:*:*:*:pimcore:*:*", "vulnerable": true, "matchCriteriaId": "D848061A-CD4D-4B51-BE21-F28E22D61178", "versionEndExcluding": "1.7.16"}, {"criteria": "cpe:2.3:a:pimcore:admin_classic_bundle:*:*:*:*:*:pimcore:*:*", "vulnerable": true, "matchCriteriaId": "2DA216D2-3283-4D95-B6CC-1408A9FD4B54", "versionEndExcluding": "2.2.3", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}