GHSA-36fc-7wjg-mfvj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-36fc-7wjg-mfvj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-36fc-7wjg-mfvj/GHSA-36fc-7wjg-mfvj.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-36fc-7wjg-mfvj
- Aliases
-
- CVE-2026-45162
- Published
- 2026-05-27T16:57:04Z
- Modified
- 2026-05-27T17:00:08.785969144Z
- Severity
-
- 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- Pimcore has Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction
- Details
-
GM-374
Summary
Multiple locations in Pimcore v11 call PHP's
unserialize()on data from database columns and filesystem files without theallowed_classesrestriction, enabling object injection if an attacker can control the serialized data source.Affected Component
- Package:
pimcore/pimcoreandpimcore/admin-ui-classic-bundle - Files:
lib/Tool/Authentication.php(line 82) — session token deserializationmodels/Site/Dao.php(line 68) — site domains from databasemodels/DataObject/ClassDefinition/CustomLayout/Dao.php(line 69) — layout definitions from databasemodels/Tool/TmpStore/Dao.php(line 64) — temporary store data from databasemodels/Asset/WebDAV/Service.php(line 36) — delete log from filesystemadmin-ui-classic-bundle/src/Helper/Dashboard.php(line 64) — dashboard config from filesystem
Description
Six locations in Pimcore core call
unserialize()directly (bypassingTool\Serialize) on data sourced from database columns or filesystem files without passing theallowed_classesparameter. This means any class available in the autoloader will be instantiated during deserialization.If an attacker can write to the data source (e.g., via SQL injection targeting the
tmp_store,sites, orcustom_layoutstables, or via a file write vulnerability targeting the WebDAV delete log), they can inject serialized PHP gadget chains that execute arbitrary code when the data is deserialized.This is related to but distinct from the
Tool\Serialize::unserialize()issue — these calls bypass the wrapper entirely.Impact
PHP object injection leading to Remote Code Execution when chained with a data source write vulnerability. Pimcore's dependency tree (Guzzle, Symfony, Monolog, Doctrine) provides numerous known gadget chains.
Proof of Concept
- Identify a writable data source (e.g.,
tmp_storetable via SQL injection, orwebdav-delete.datvia file write) - Write a serialized PHP gadget chain (e.g., Monolog
BufferHandlerchain from phpggc) - Trigger the deserialization (e.g., access a page that reads TmpStore, or trigger a WebDAV operation)
- The gadget chain executes with web server privileges
Suggested Fix
Add
allowed_classesparameter to allunserialize()calls. Where no objects are needed, use['allowed_classes' => false]. Consider migrating to JSON serialization for data that doesn't require object preservation.// Example fix for Site/Dao.php: $siteDomains = unserialize($site['domains'], ['allowed_classes' => false]); // Example fix for TmpStore/Dao.php: $item['data'] = unserialize($item['data'], ['allowed_classes' => false]);Resources
- CWE-502: Deserialization of Untrusted Data
- OWASP Deserialization Cheat Sheet
- phpggc: PHP Generic Gadget Chains
- Package:
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-05-27T16:57:04Z", "nvd_published_at": null, "severity": "HIGH", "cwe_ids": [ "CWE-502" ] }- References
Affected packages
Packagist / pimcore/pimcore
Package
- Name
- pimcore/pimcore
- Purl
- pkg:composer/pimcore%2Fpimcore
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed12.3.7