CVE-2026-45704

Source
https://cve.org/CVERecord?id=CVE-2026-45704
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45704.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45704
Aliases
Published
2026-07-17T19:12:50.888Z
Modified
2026-07-18T03:47:24.132134240Z
Severity
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Pimcore: CustomReports Share Bypass
Details

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.6, CustomReports uses inconsistent authorization between the report listing endpoint and the report detail endpoint in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php and bundles/CustomReportsBundle/src/Tool/Config/Listing/Dao.php, allowing a low-privileged backend user with the reports permission to directly request an unshared report such as poc-secret-report by name and read report name, grouping information, display and icon metadata, data source configuration, column configuration, and sharing settings even when shareGlobally is false. This issue is fixed in versions 11.5.17 (LTS) and 12.3.6.

Database specific
{
    "cwe_ids": [
        "CWE-862"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45704.json",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "fixed": "11.5.17"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/pimcore/pimcore

Affected ranges

Type
GIT
Repo
https://github.com/pimcore/pimcore
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "12.0.0"
        },
        {
            "fixed": "12.3.6"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

v12.*
v12.0.0
v12.1.0
v12.2.0
v12.2.1
v12.3.0
v12.3.1
v12.3.1.1
v12.3.2
v12.3.3
v12.3.4
v12.3.5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45704.json"