CVE-2026-23494

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-23494

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23494.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-23494

Aliases

GHSA-m3r2-724c-pwgf

Published

2026-01-15T16:52:58.729Z

Modified

2026-01-22T03:45:49.282729Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Pimcore is Missing Function Level Authorization on "Static Routes" Listing

Details

Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. These routes are registered automatically through the PimcoreStaticRoutesBundle and integrated into the MVC routing system. Testing revealed that an authenticated backend user lacking explicit permissions was able to invoke the endpoint (e.g., GET /api/static-routes) and retrieve sensitive route configurations. This vulnerability is fixed in 12.3.1 and 11.5.14.

Database specific

{
    "cwe_ids": [
        "CWE-284"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23494.json"
}

References

Affected packages

Git / github.com/pimcore/pimcore

Affected ranges

Type

GIT

Repo

https://github.com/pimcore/pimcore

Events

Introduced

337f64f750298cf6d55c01c95bc9a7413e41d7d0

Fixed

faf1168fb38bdba57e5c5cb7143997fca9b7680b

Database specific

{
    "versions": [
        {
            "introduced": "12.0.0-RC1"
        },
        {
            "fixed": "12.3.1"
        }
    ]
}

Type

GIT

Repo

https://github.com/pimcore/pimcore

Events

Introduced

Fixed

002ec7d5f84973819236796e5b314703b58e8601

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "11.5.14"
        }
    ]
}

Affected versions

2.*

2.2.0

2.2.1

2.2.2

2.3.0

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.1.0

3.1.1

4.*

4.0.0

4.0.1

4.1.0

4.1.1

4.1.2

4.1.3

4.2.0

4.3.0

4.3.1

4.4.0

4.4.1

4.4.2

4.4.3

4.5.0

v10.*

v10.0.0

v10.0.0-BETA1

v10.0.0-BETA2

v10.0.0-BETA3

v10.0.0-BETA4

v10.0.1

v10.0.2

v10.0.3

v10.0.4

v10.0.5

v10.0.6

v10.0.7

v10.0.8

v10.0.9

v10.1.0

v10.1.1

v10.1.2

v10.1.3

v10.1.4

v10.1.5

v10.2.0

v10.2.1

v10.2.10

v10.2.2

v10.2.3

v10.2.4

v10.2.5

v10.2.6

v10.2.7

v10.2.8

v10.2.9

v10.3.0

v10.3.1

v10.3.2

v10.3.3

v10.3.4

v10.3.5

v10.3.6

v10.4.0

v10.4.1

v10.4.2

v10.4.3

v10.4.4

v10.4.5

v10.4.6

v10.5.0

v10.5.1

v10.5.10

v10.5.11

v10.5.12

v10.5.13

v10.5.14

v10.5.15

v10.5.16

v10.5.17

v10.5.18

v10.5.19

v10.5.2

v10.5.20

v10.5.21

v10.5.22

v10.5.23

v10.5.24

v10.5.25

v10.5.3

v10.5.4

v10.5.5

v10.5.6

v10.5.7

v10.5.8

v10.5.9

v10.6.0

v10.6.1

v10.6.2

v10.6.3

v10.6.4

v10.6.5

v10.6.6

v10.6.7

v10.6.8

v10.6.9

v11.*

v11.0.0

v11.0.0-ALPHA1

v11.0.0-ALPHA2

v11.0.0-ALPHA3

v11.0.0-ALPHA4

v11.0.0-ALPHA5

v11.0.0-ALPHA6

v11.0.0-ALPHA7

v11.0.0-ALPHA8

v11.0.0-BETA1

v11.0.0-RC1

v11.0.0-RC2

v11.0.1

v11.0.10

v11.0.11

v11.0.12

v11.0.2

v11.0.3

v11.0.4

v11.0.5

v11.0.6

v11.0.7

v11.0.8

v11.0.9

v11.1.0

v11.1.0-RC1

v11.1.1

v11.1.2

v11.1.3

v11.1.4

v11.1.5

v11.1.6

v11.2.0

v11.2.1

v11.2.2

v11.2.3

v11.2.4

v11.2.5

v11.2.6

v11.2.7

v11.3.0

v11.3.0-RC1

v11.3.0-RC2

v11.3.1

v11.3.2

v11.3.3

v11.4.0

v11.4.0-RC1

v11.4.1

v11.4.2

v11.4.3

v11.4.4

v11.5.0

v11.5.0-RC1

v11.5.0-RC2

v11.5.1

v11.5.10

v11.5.11

v11.5.12

v11.5.13

v11.5.14

v11.5.2

v11.5.3

v11.5.4

v11.5.5

v11.5.6

v11.5.7

v11.5.8

v11.5.9

v12.*

v12.0.0

v12.0.0-RC1

v12.0.0-RC2

v12.0.1

v12.0.2

v12.0.3

v12.0.4

v12.1.0

v12.1.1

v12.1.2

v12.1.3

v12.1.4

v12.1.5

v12.2.0

v12.2.1

v12.2.2

v12.2.3

v12.2.4

v12.3.0

v5.*

v5.0.0

v5.0.0-RC

v5.0.1

v5.0.2

v5.0.3

v5.0.4

v5.1.0

v5.1.0-alpha

v5.1.1

v5.1.2

v5.1.3

v5.2.0

v5.2.3

v5.3.0

v5.3.1

v5.4.0

v5.4.1

v5.4.2

v5.4.3

v5.4.4

v5.5.0

v5.5.1

v5.5.2

v5.5.3

v5.5.4

v5.6.0

v5.6.1

v5.6.2

v5.6.3

v5.6.4

v5.6.5

v5.6.6

v5.7.0

v5.7.1

v5.7.2

v5.7.3

v5.8.0

v5.8.1

v5.8.2

v5.8.3

v6.*

v6.0.0

v6.0.1

v6.0.2

v6.0.3

v6.0.4

v6.0.5

v6.1.0

v6.1.1

v6.1.2

v6.2.0

v6.2.1

v6.2.2

v6.2.3

v6.3.0

v6.3.1

v6.3.2

v6.3.3

v6.3.4

v6.3.5

v6.3.6

v6.4.0

v6.4.1

v6.4.2

v6.5.0

v6.5.1

v6.5.2

v6.5.3

v6.6.0

v6.6.1

v6.6.10

v6.6.11

v6.6.2

v6.6.3

v6.6.4

v6.6.5

v6.6.6

v6.6.7

v6.6.8

v6.6.9

v6.7.0

v6.7.1

v6.7.2

v6.7.3

v6.8.0

v6.8.1

v6.8.10

v6.8.11

v6.8.12

v6.8.2

v6.8.3

v6.8.4

v6.8.5

v6.8.6

v6.8.7

v6.8.8

v6.8.9

v6.9.0

v6.9.1

v6.9.2

v6.9.3

v6.9.4

v6.9.5

v6.9.6

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23494.json"