Auth bypass in Pimcore

CVE-2026-45704

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.6, CustomReports uses inconsistent authorization between the report listing endpoint and the report detail endpoint in bundles/CustomReportsBu…

Vulnerability class: Broken Access Control

Affected products

  • Pimcore — versions < 11.5.17, >= 12.0.0, < 12.3.6

Weakness classification (CWE)

References