Description
Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore's official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. The vulnerability is fixed in 2.2.3 and 1.7.16.
Published: 2026-01-15
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch Now
AI Analysis

Impact

Pimcore's Admin Classic Bundle contained an authorization flaw in the API endpoint that lists predefined properties. An authenticated backend user who does not have explicit permission to manage properties can call the endpoint and retrieve the entire set of property configurations, exposing metadata such as names, keys, types and default values. This flaw is a CWE‑284 Missing Authorization weakness and can lead to unauthorized disclosure of configuration information.

Affected Systems

The vulnerability affects Pimcore Admin Classic Bundle versions prior to 2.2.3 and 1.7.16. Any backend installation of Pimcore that uses these bundle versions is potentially impacted, regardless of how many users are present in the system.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact, while the EPSS score of less than 1% suggests a very low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it by authenticating to a backend account that lacks property‑management rights and then invoking the vulnerable listing endpoint. Because the data exposed is configuration metadata, the primary concern is confidentiality leakage of system setup rather than direct control over the system.

Generated by OpenCVE AI on April 18, 2026 at 06:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Pimcore Admin Classic Bundle to version 2.2.3 or later, or 1.7.16 or later, which contain the authorization fix.
  • Restrict backend user accounts to the minimal permissions required, ensuring that only designated administrators have property‑management rights.
  • Audit backend access logs for unexpected calls to the predefined‑properties endpoint and investigate any anomalies.

Generated by OpenCVE AI on April 18, 2026 at 06:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hqrp-m84v-2m2f Pimcore's Admin Classic Bundle is Missing Function Level Authorization on "Predefined Properties" Listing
History

Fri, 30 Jan 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Pimcore admin Classic Bundle
CPEs cpe:2.3:a:pimcore:admin_classic_bundle:*:*:*:*:*:pimcore:*:*
Vendors & Products Pimcore admin Classic Bundle

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Pimcore
Pimcore pimcore
Vendors & Products Pimcore
Pimcore pimcore

Thu, 15 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
Description Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore's official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. The vulnerability is fixed in 2.2.3 and 1.7.16.
Title Pimcore's Admin Classic Bundle is Missing Function Level Authorization on "Predefined Properties" Listing
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Pimcore Admin Classic Bundle Pimcore
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-15T17:09:32.298Z

Reserved: 2026-01-13T15:47:41.629Z

Link: CVE-2026-23495

cve-icon Vulnrichment

Updated: 2026-01-15T17:09:13.047Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-15T17:16:08.597

Modified: 2026-01-30T19:51:59.950

Link: CVE-2026-23495

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:15:15Z

Weaknesses