CVE-2026-45704
Summary
CustomReports uses inconsistent authorization between the report listing endpoint and the report detail endpoint.
- The listing flow filters reports based on report-sharing rules
- The detail flow only checks generic reports or reports_config permissions
As a result, a low-privileged backend user who was not granted access to a report can still read that report directly by name even though it does not appear in the user's visible report list.
In the local Docker reproduction:
- The report poc-secret-report was not visible to the low-privileged user in the report list
- The same user was still able to retrieve the report configuration directly by name
Root Cause
The listing flow in getReportConfigAction() filters reports through loadForGivenUser():
- CustomReportController.php
- CustomReportController.php
- CustomReportController.php
- Config/Listing/Dao.php
- Config/Listing/Dao.php
However, getAction() only checks generic permissions and then loads the report directly by name:
- CustomReportController.php
- CustomReportController.php
- CustomReportController.php
- CustomReportController.php
This means the same report object is protected by different authorization models depending on which endpoint is used. The result is a classic "not visible in list, but readable by direct request" access-control bypass.
Impact
An attacker can read sensitive report metadata without authorization, including:
- Report name
- Grouping information
- Display and icon metadata
- Data sourc
⚡ Watch CVE-2026-45704
Get an email if CVE-2026-45704 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Advisory coverage (1)
- highGHSA-jwcc-gv4m-93x6: Pimcore has a CustomReports Share Bypassghsa · 2026-05-27
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-45704)