CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-jwcc-gv4m-93x6: Pimcore has a CustomReports Share Bypass

highCVE-2026-45704
Summary CustomReports uses inconsistent authorization between the report listing endpoint and the report detail endpoint. - The listing flow filters reports based on report-sharing rules - The detail flow only checks generic reports or reports_config permissions As a result, a low-privileged backend user who was not granted access to a report can still read that report directly by name even though it does not appear in the user's visible report list. In the local Docker reproduction: - The report poc-secret-report was not visible to the low-privileged user in the report list - The same user was still able to retrieve the report configuration directly by name Root Cause The listing flow in getReportConfigAction() filters reports through loadForGivenUser(): - CustomReportController.php - CustomReportController.php - CustomReportController.php - Config/Listing/Dao.php - Config/Listing/Dao.php However, getAction() only checks generic permissions and then loads the report directly by name: - CustomReportController.php - CustomReportController.php - CustomReportController.php - CustomReportController.php This means the same report object is protected by different authorization models depending on which endpoint is used. The result is a classic "not visible in list, but readable by direct request" access-control bypass. Impact An attacker can read sensitive report metadata without authorization, including: - Report name - Grouping information - Display and icon metadata - Data sourc

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
high
Published
2026-05-27
Last updated
2026-07-10
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-jwcc-gv4m-93x6

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-45704coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories