Description

Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore's official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. The vulnerability is fixed in 2.2.3 and 1.7.16.

INFO

Published Date :

2026-01-15T16:47:07.114Z

Last Modified :

2026-01-15T17:09:32.298Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-23495 vulnerability.

Vendors Products
Pimcore
  • Admin Classic Bundle
  • Pimcore
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-23495.

URL Resource
https://github.com/pimcore/admin-ui-classic-bundle/commit/98095949fbeaf11cdf4cadb2989d7454e1b88909 cve-icon cve-icon
https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.7.16 cve-icon cve-icon
https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v2.2.3 cve-icon cve-icon
https://github.com/pimcore/pimcore/security/advisories/GHSA-hqrp-m84v-2m2f cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact