Description
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. These routes are registered automatically through the PimcoreStaticRoutesBundle and integrated into the MVC routing system. Testing revealed that an authenticated backend user lacking explicit permissions was able to invoke the endpoint (e.g., GET /api/static-routes) and retrieve sensitive route configurations. This vulnerability is fixed in 12.3.1 and 11.5.14.
Published: 2026-01-15
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via Unprotected API Endpoint
Action: Immediate Patch
AI Analysis

Impact

The vulnerability involves a missing function-level authorization check on the API endpoint that lists static routes in Pimcore. Because the endpoint is reachable by authenticated backend users who do not have explicit permissions, attackers can obtain the complete configuration of custom URL patterns, including regexes, controllers, and priorities. These configurations provide insight into internal application routing and can aid in crafting targeted attacks against specific controllers or services. The weakness is classified as CWE‑284, reflecting improper authorization.

Affected Systems

Pimcore, the open‑source data and experience management platform, is affected in all releases prior to 12.3.1 for the 12.x series and prior to 11.5.14 for the 11.x series. Any installation running those versions exposes the API endpoint that enumerates static routes. Administrators should verify that their deployments are running at least version 12.3.1 of the 12.x line or 11.5.14 of the 11.x line, as the fix was applied in those releases.

Risk and Exploitability

The CVSS base score of 4.3 indicates a moderate risk, while the EPSS score of less than 1% shows a low probability of exploitation in the wild. The vulnerability does not appear in the CISA KEV catalog. Attackers must be authenticated to the backend but do not need elevated privileges; thus the impact is limited to confidentiality compromise of route configuration data. Without a patch, any authenticated user could request the listing endpoint and retrieve potentially sensitive routing details.

Generated by OpenCVE AI on April 18, 2026 at 16:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Pimcore to at least version 12.3.1 in the 12.x branch or 11.5.14 in the 11.x branch, which includes the missing authorization check.
  • Configure the application to restrict or disable the /api/static-routes endpoint for users lacking the explicit permission to read static routes, by updating the routing configuration or role permissions.
  • Monitor access logs for calls to /api/static-routes to detect any unauthorized or anomalous activity.

Generated by OpenCVE AI on April 18, 2026 at 16:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m3r2-724c-pwgf Pimcore is Vulnerable to Broken Access Control: Missing Function Level Authorization on "Static Routes" Listing
History

Tue, 20 Jan 2026 22:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*:*

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Pimcore
Pimcore pimcore
Vendors & Products Pimcore
Pimcore pimcore

Thu, 15 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Description Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. These routes are registered automatically through the PimcoreStaticRoutesBundle and integrated into the MVC routing system. Testing revealed that an authenticated backend user lacking explicit permissions was able to invoke the endpoint (e.g., GET /api/static-routes) and retrieve sensitive route configurations. This vulnerability is fixed in 12.3.1 and 11.5.14.
Title Pimcore is Missing Function Level Authorization on "Static Routes" Listing
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Pimcore Pimcore
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-15T18:08:13.110Z

Reserved: 2026-01-13T15:47:41.629Z

Link: CVE-2026-23494

cve-icon Vulnrichment

Updated: 2026-01-15T18:08:01.022Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-15T17:16:08.453

Modified: 2026-01-20T21:47:25.640

Link: CVE-2026-23494

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:15:04Z

Weaknesses