CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-332x-r494-54fq: Pimcore has a WordExport Authorization Bypass for Unauthorized Document Export

mediumCVSS 6.4CVE-2026-45703
Summary The WordExport export flow only checks whether the current backend user has the feature permission word_export. It does not verify access rights on the target element itself. As a result, a low-privileged backend user can export document content even when the user does not have view permission on that document. In the local Docker reproduction, a low-privileged user successfully exported sensitive content from a page the user was not allowed to view: - POC-WORDEXPORT-TITLE - POC-WORDEXPORT-DESC Root Cause The controller only performs a feature-level permission check before starting the export flow: - TranslationController.php - TranslationController.php#L44) It then directly resolves the target element from attacker-controlled type/id input: - TranslationController.php - TranslationController.php For document-like elements such as Page and Snippet, it renders content in an admin context: - TranslationController.php - TranslationController.php - TranslationController.php No object-level authorization check such as isAllowed('view') is enforced on the target element. Affected Scope Based on the source code, the following element types may be affected: - page - snippet - email - object For page-like documents, the pimcore_admin = true rendering context may expose additional backend-visible content. Preconditions - The attacker is an authenticated backend user - The attacker has the word_export permission - The attacker does not have view permission on the target document Reproduction Environment - Reproduction root: pimcore-12.3.3-repro - Standalone PoC script: [poc_wordexport.php](pimcore-12.3.3-

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium — CVSS 6.4
Published
2026-05-27
Last updated
2026-07-10
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-332x-r494-54fq

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-45703coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories