PT-2026-44147 · Packagist · Pimcore/Pimcore

Published

2026-05-27

·

Updated

2026-05-27

·

CVE-2026-45162

CVSS v3.1

8.0

High

VectorAV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

GM-374

Summary

Multiple locations in Pimcore v11 call PHP's unserialize() on data from database columns and filesystem files without the allowed classes restriction, enabling object injection if an attacker can control the serialized data source.

Affected Component

  • Package: pimcore/pimcore and pimcore/admin-ui-classic-bundle
  • Files:
  • lib/Tool/Authentication.php (line 82) — session token deserialization
  • models/Site/Dao.php (line 68) — site domains from database
  • models/DataObject/ClassDefinition/CustomLayout/Dao.php (line 69) — layout definitions from database
  • models/Tool/TmpStore/Dao.php (line 64) — temporary store data from database
  • models/Asset/WebDAV/Service.php (line 36) — delete log from filesystem
  • admin-ui-classic-bundle/src/Helper/Dashboard.php (line 64) — dashboard config from filesystem

Description

Six locations in Pimcore core call unserialize() directly (bypassing ToolSerialize) on data sourced from database columns or filesystem files without passing the allowed classes parameter. This means any class available in the autoloader will be instantiated during deserialization.
If an attacker can write to the data source (e.g., via SQL injection targeting the tmp store, sites, or custom layouts tables, or via a file write vulnerability targeting the WebDAV delete log), they can inject serialized PHP gadget chains that execute arbitrary code when the data is deserialized.
This is related to but distinct from the ToolSerialize::unserialize() issue — these calls bypass the wrapper entirely.

Impact

PHP object injection leading to Remote Code Execution when chained with a data source write vulnerability. Pimcore's dependency tree (Guzzle, Symfony, Monolog, Doctrine) provides numerous known gadget chains.

Proof of Concept

  1. Identify a writable data source (e.g., tmp store table via SQL injection, or webdav-delete.dat via file write)
  2. Write a serialized PHP gadget chain (e.g., Monolog BufferHandler chain from phpggc)
  3. Trigger the deserialization (e.g., access a page that reads TmpStore, or trigger a WebDAV operation)
  4. The gadget chain executes with web server privileges

Suggested Fix

Add allowed classes parameter to all unserialize() calls. Where no objects are needed, use ['allowed classes' => false]. Consider migrating to JSON serialization for data that doesn't require object preservation.
php
// Example fix for Site/Dao.php:
$siteDomains = unserialize($site['domains'], ['allowed classes' => false]);

// Example fix for TmpStore/Dao.php:
$item['data'] = unserialize($item['data'], ['allowed classes' => false]);

Resources

  • CWE-502: Deserialization of Untrusted Data
  • OWASP Deserialization Cheat Sheet
  • phpggc: PHP Generic Gadget Chains

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

CVE-2026-45162
GHSA-36FC-7WJG-MFVJ

Affected Products

Pimcore/Pimcore