CVE-2026-23495

Name of the Vulnerable Software and Affected Versions Pimcore versions prior to 2.2.3 and versions prior to 1.7.16

Description The API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions used across documents, assets, and objects to standardize custom attributes. An authenticated backend user without explicit permissions for property management can call the endpoint and retrieve the complete list of these configurations. This allows unauthorized access to administrative features and potentially violates role-based access controls. The API endpoint in question is used for listing Predefined Properties.

Recommendations Versions prior to 2.2.3 should be updated to version 2.2.3 or later. Versions prior to 1.7.16 should be updated to version 1.7.16 or later.