CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-45703

mediumCVSS 6.4covered by 1 sourcefirst seen 2026-05-27
Summary The WordExport export flow only checks whether the current backend user has the feature permission word_export. It does not verify access rights on the target element itself. As a result, a low-privileged backend user can export document content even when the user does not have view permission on that document. In the local Docker reproduction, a low-privileged user successfully exported sensitive content from a page the user was not allowed to view: - POC-WORDEXPORT-TITLE - POC-WORDEXPORT-DESC Root Cause The controller only performs a feature-level permission check before starting the export flow: - TranslationController.php - TranslationController.php#L44) It then directly resolves the target element from attacker-controlled type/id input: - TranslationController.php - TranslationController.php For document-like elements such as Page and Snippet, it renders content in an admin context: - TranslationController.php - TranslationController.php - TranslationController.php No object-level authorization check such as isAllowed('view') is enforced on the target element. Affected Scope Based on the source code, the following element types may be affected: - page - snippet - email - object For page-like documents, the pimcore_admin = true rendering context may expose additional backend-visible content. Preconditions - The attacker is an authenticated backend user - The attacker has the word_export permission - The attacker does not have view permission on the target document Reproduction Environment - Reproduction root: pimcore-12.3.3-repro - Standalone PoC script: [poc_wordexport.php](pimcore-12.3.3-

⚡ Watch CVE-2026-45703

Get an email if CVE-2026-45703 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-45703

CVE.org record

Embed the live status

CVE-2026-45703 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-45703 status](https://www.csirts.com/badge/CVE-2026-45703)](https://www.csirts.com/cve/CVE-2026-45703)