CVE-2026-45703
Summary
The WordExport export flow only checks whether the current backend user has the feature permission word_export. It does not verify access rights on the target element itself.
As a result, a low-privileged backend user can export document content even when the user does not have view permission on that document.
In the local Docker reproduction, a low-privileged user successfully exported sensitive content from a page the user was not allowed to view:
- POC-WORDEXPORT-TITLE
- POC-WORDEXPORT-DESC
Root Cause
The controller only performs a feature-level permission check before starting the export flow:
- TranslationController.php
- TranslationController.php#L44)
It then directly resolves the target element from attacker-controlled type/id input:
- TranslationController.php
- TranslationController.php
For document-like elements such as Page and Snippet, it renders content in an admin context:
- TranslationController.php
- TranslationController.php
- TranslationController.php
No object-level authorization check such as isAllowed('view') is enforced on the target element.
Affected Scope
Based on the source code, the following element types may be affected:
- page
- snippet
- email
- object
For page-like documents, the pimcore_admin = true rendering context may expose additional backend-visible content.
Preconditions
- The attacker is an authenticated backend user
- The attacker has the word_export permission
- The attacker does not have view permission on the target document
Reproduction Environment
- Reproduction root: pimcore-12.3.3-repro
- Standalone PoC script: [poc_wordexport.php](pimcore-12.3.3-
⚡ Watch CVE-2026-45703
Get an email if CVE-2026-45703 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Advisory coverage (1)
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-45703)