CVE-2026-23495

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-23495

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23495.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-23495

Aliases

GHSA-hqrp-m84v-2m2f

Published

2026-01-15T16:47:07.114Z

Modified

2026-01-31T21:34:14.984410Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Pimcore's Admin Classic Bundle is Missing Function Level Authorization on "Predefined Properties" Listing

Details

Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore's official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. The vulnerability is fixed in 2.2.3 and 1.7.16.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-284"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23495.json"
}

References

Affected packages

Git / github.com/pimcore/admin-ui-classic-bundle

Affected ranges

Type

GIT

Repo

https://github.com/pimcore/admin-ui-classic-bundle

Events

Introduced

3641a9db5c64be62eb1646c4fbae43776fde44bb

Fixed

ab8338f08dc63f041535068eb9c3e2c6424b4a0d

Database specific

{
    "versions": [
        {
            "introduced": "2.0.0-RC1"
        },
        {
            "fixed": "2.2.3"
        }
    ]
}

Type

GIT

Repo

https://github.com/pimcore/admin-ui-classic-bundle

Events

Introduced

Fixed

50e5c68d19e3275877637c0d47eae5461af12c8a

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.7.16"
        }
    ]
}

Affected versions

1.*

1.4.0

2.*

2.0.0-RC2

v1.*

v1.0.0

v1.0.0-BETA1

v1.0.0-RC1

v1.0.0-RC2

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.0.6

v1.1.0

v1.1.0-RC1

v1.1.1

v1.1.2

v1.1.3

v1.1.4

v1.2.0

v1.2.0-RC1

v1.2.1

v1.2.2

v1.2.3

v1.3.0

v1.3.0-RC1

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.3.5

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.5.0

v1.5.0-RC1

v1.5.0-RC2

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.5.5

v1.6.0

v1.6.0-RC1

v1.6.0-RC2

v1.6.1

v1.6.2

v1.6.3

v1.6.4

v1.6.5

v1.7.0

v1.7.1

v1.7.10

v1.7.12

v1.7.13

v1.7.14

v1.7.15

v1.7.16

v1.7.2

v1.7.3

v1.7.4

v1.7.5

v1.7.6

v1.7.7

v1.7.8

v1.7.9

v2.*

v2.0.0

v2.0.0-RC1

v2.0.0-RC2

v2.0.0-RC3

v2.0.0-RC4

v2.0.1

v2.0.2

v2.1.0

v2.1.1

v2.1.2

v2.1.3

v2.1.4

v2.2.0

v2.2.1

v2.2.2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23495.json"