Missing Authorization Affecting pimcore/pimcore package, versions <12.3.7
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Missing Authorization vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PHP-PIMCOREPIMCORE-17112576
- published31 May 2026
- disclosed27 May 2026
- creditlarlarua
Introduced: 27 May 2026
NewCVE-2026-45260 (opens in a new tab)How to fix?
Upgrade pimcore/pimcore to version 12.3.7 or higher.
Overview
pimcore/pimcore is a content & product management framework (CMS/PIM/E-Commerce).
Affected versions of this package are vulnerable to Missing Authorization via the Tree::move process. An attacker can delete or overwrite assets without proper authorization by sending a crafted WebDAV MOVE request to the asset endpoint when the source and destination asset paths are known or guessable. This can be performed by unauthenticated remote attackers or authenticated low-privileged users due to missing permission checks in the move operation.