CVE-2026-23495

low-risk

Published 2026-01-15

Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore's official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. The vulnerability is fixed in 2.2.3 and 1.7.16.

Do I need to act?

0.00% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Admin Classic Bundle

Affected Vendors

Pimcore

References (4)

Patch https://github.com/pimcore/admin-ui-classic-bundle/commit/98095949fbeaf11cdf4cad...

Release Notes https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.7.16

Release Notes https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v2.2.3

Exploit https://github.com/pimcore/pimcore/security/advisories/GHSA-hqrp-m84v-2m2f

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal