GHSA-36fc-7wjg-mfvj: Pimcore has Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction
GitHub Security Advisory Draft — GM-374
Summary
Multiple locations in Pimcore v11 call PHP's unserialize() on data from database columns and filesystem files without the allowed_classes restriction, enabling object injection if an attacker can control the serialized data source.
Severity
CVSS 3.1: 8.0 (High) — AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Affected Component
- Package: pimcore/pimcore and pimcore/admin-ui-classic-bundle
- Files:
- lib/Tool/Authentication.php (line 82) — session token deserialization
- models/Site/Dao.php (line 68) — site domains from database
- models/DataObject/ClassDefinition/CustomLayout/Dao.php (line 69) — layout definitions from database
- models/Tool/TmpStore/Dao.php (line 64) — temporary store data from database
- models/Asset/WebDAV/Service.php (line 36) — delete log from filesystem
- admin-ui-classic-bundle/src/Helper/Dashboard.php (line 64) — dashboard config from filesystem
Description
Six locations in Pimcore core call unserialize() directly (bypassing Tool\Serialize) on data sourced from database columns or filesystem files without passing the allowed_classes parameter. This means any class available in the autoloader will be instantiated during deserialization.
If an attacker can write to the data source (e.g., via SQL injection targeting the tmp_store, sites, or custom_layouts tables, or via a file write vulnerability targeting the WebDAV delete log), they can inject serialized PHP gadget chains that execute arbitrary code when the data is deserialized.
This is related to but distinct from the Tool\Serialize::unserialize() issue — these calls bypass the wrapper entirely.
Impact
PHP object injection leading to Remote Code Execution when chained with a data source write vulnerability. Pimcore's dependency tree (Guzzle, Symfony, Monolog, Doctrine) provides numerous known gadget chains.
Proof of Concept
1. Identify a writable data source (e.g., tmp_store table via SQL injection, or webdav-delete.dat via file write)
2. Write
Details
Original advisory: https://github.com/advisories/GHSA-36fc-7wjg-mfvj
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-45162 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10