Description
Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Output Channel Configurations." Testing revealed that an authenticated backend user without explicitely lacking permissions for this feature was still able to successfully invoke the endpoint and modify or retrieve these configurations. This vulnerability is fixed in 5.2.2 and 6.1.1.
Published: 2026-01-15
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass
Action: Patch Now
AI Analysis

Impact

An authenticated backend user can access the API endpoint that manages "Favourite Output Channel Configurations" without proper server‑side checks, allowing the user to modify or retrieve these configurations. This lack of function‑level authorization permits unauthorized configuration changes, potentially altering print output behavior or compromising data integrity.

Affected Systems

Pimcore Web2Print Tools Bundle, versions prior to 5.2.2 and 6.1.1. Users of the Pimcore platform with the Web2Print Tools package deployed in these versions are affected.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity, while the EPSS of less than 1% suggests a low exploitation probability at this time. The vulnerability is not listed in CISA’s KEV catalog, so there is no evidence of active exploitation. The likely attack vector involves an authenticated backend user, so the threat is limited to individuals who have legitimate platform access. If such a user accepts the exploit, they can alter printing configuration settings without permission, thereby gaining unauthorized control over print‑related outputs.

Generated by OpenCVE AI on April 18, 2026 at 06:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Web2Print Tools package to at least version 5.2.2 or 6.1.1, which includes the missing authorization checks.
  • After the update, review backend user permissions and remove or restrict the ability to edit “Favourite Output Channel Configurations” for users that do not require this capability.
  • Enable logging and auditing on the configuration API to detect any unauthorized changes and to provide evidence for incident response.

Generated by OpenCVE AI on April 18, 2026 at 06:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4wg4-p27p-5q2r Pimcore Web2Print Tools Bundle "Favourite Output Channel Configuration" Missing Function Level Authorization
History

Fri, 30 Jan 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Pimcore web2print Tools
Weaknesses CWE-863
CPEs cpe:2.3:a:pimcore:web2print_tools:*:*:*:*:*:pimcore:*:*
Vendors & Products Pimcore web2print Tools

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Pimcore
Pimcore pimcore
Vendors & Products Pimcore
Pimcore pimcore

Thu, 15 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Description Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Output Channel Configurations." Testing revealed that an authenticated backend user without explicitely lacking permissions for this feature was still able to successfully invoke the endpoint and modify or retrieve these configurations. This vulnerability is fixed in 5.2.2 and 6.1.1.
Title Pimcore Web2Print Tools Bundle "Favourite Output Channel Configuration" Missing Function Level Authorization
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Pimcore Pimcore Web2print Tools
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-15T18:26:33.948Z

Reserved: 2026-01-13T15:47:41.629Z

Link: CVE-2026-23496

cve-icon Vulnrichment

Updated: 2026-01-15T18:03:59.526Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-15T17:16:08.747

Modified: 2026-01-30T19:49:56.363

Link: CVE-2026-23496

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:15:15Z

Weaknesses