CVE-2026-23494

Name of the Vulnerable Software and Affected Versions Pimcore versions prior to 12.3.1 Pimcore versions prior to 11.5.14

Description The application does not properly enforce server-side authorization checks on the API endpoint responsible for reading or listing static routes. Static routes are custom URL patterns defined through the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. An authenticated backend user lacking explicit permissions can invoke the API endpoint (e.g., GET /api/static-routes) and retrieve sensitive route configurations. This violates access control principles, allowing unauthorized access to internal routing metadata. Exploitation enables low-privileged users to enumerate static routes, potentially revealing application architecture, endpoints, or custom logic.

Recommendations Versions prior to 12.3.1 should be updated to version 12.3.1 or later. Versions prior to 11.5.14 should be updated to version 11.5.14 or later.