GHSA-332x-r494-54fq: Pimcore has a WordExport Authorization Bypass for Unauthorized Document Export
Summary
The WordExport export flow only checks whether the current backend user has the feature permission word_export. It does not verify access rights on the target element itself.
As a result, a low-privileged backend user can export document content even when the user does not have view permission on that document.
In the local Docker reproduction, a low-privileged user successfully exported sensitive content from a page the user was not allowed to view:
- POC-WORDEXPORT-TITLE
- POC-WORDEXPORT-DESC
Root Cause
The controller only performs a feature-level permission check before starting the export flow:
- TranslationController.php
- TranslationController.php#L44)
It then directly resolves the target element from attacker-controlled type/id input:
- TranslationController.php
- TranslationController.php
For document-like elements such as Page and Snippet, it renders content in an admin context:
- TranslationController.php
- TranslationController.php
- TranslationController.php
No object-level authorization check such as isAllowed('view') is enforced on the target element.
Affected Scope
Based on the source code, the following element types may be affected:
- page
- snippet
- email
- object
For page-like documents, the pimcore_admin = true rendering context may expose additional backend-visible content.
Preconditions
- The attacker is an authenticated backend user
- The attacker has the word_export permission
- The attacker does not have view permission on the target document
Reproduction Environment
- Reproduction root: pimcore-12.3.3-repro
- Standalone PoC script: [poc_wordexport.php](pimcore-12.3.3-
Details
Original advisory: https://github.com/advisories/GHSA-332x-r494-54fq
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-45703 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10