What is CVE-2026-23495?

A medium-severity vulnerability in Pimcore's Admin Classic Bundle allows unauthorized access to Predefined Properties. Organizations should prioritize patching to prevent potential data exposure.

What is the severity of CVE-2026-23495?

CVE-2026-23495 has a severity rating of MEDIUM with a CVSS base score of 4.3.

CVE-2026-23495 | Medium Vulnerability in Pimcore Admin Classic Bundle

This vulnerability allows unauthorized access to sensitive configuration data within the Pimcore Admin Classic Bundle. The issue lies in the API endpoint for listing Predefined Properties, which fails to implement adequate server-side authorization checks. An authenticated backend user lacking explicit permissions can exploit this vulnerability to retrieve the complete list of these configurations. The vulnerability affects versions prior to 2.2.3 and 1.7.16.

The severity of this vulnerability is classified as medium, with a CVSS score of 4.3. This level of severity indicates a moderate risk to affected organizations, as it may expose sensitive configuration data to unauthorized users. Organizations should address this vulnerability in their priority patch cycle, given its potential impact on data integrity and confidentiality.

Testing confirmed that an authenticated user could exploit this vulnerability, emphasizing the importance of implementing robust authorization checks. Organizations using the affected versions of Pimcore should take immediate steps to patch their systems to prevent unauthorized access.

The vulnerability was disclosed on January 15, 2026, and was fixed in versions 2.2.3 and 1.7.16. Organizations should review their deployment of Pimcore and ensure that they are using the latest versions to mitigate this risk.

Vulnerability Details

Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. The API endpoint for listing Predefined Properties lacks adequate server-side authorization checks, allowing unauthorized users to access sensitive configuration data. This vulnerability is classified under CWE-284: Improper Access Control.

The CVSS score of 4.3 indicates a medium severity level, with a low attack complexity and low privileges required for exploitation. Users do not need to interact with the system to exploit this vulnerability, which increases the risk of unauthorized access.

Technical Analysis

The root cause of this vulnerability stems from insufficient authorization checks on the API endpoint for Predefined Properties. The attack vector is through the network, where a low-privileged authenticated user can make API calls to retrieve data they should not have access to.

The attack complexity is low, as it does not require any sophisticated methods to exploit. Only low privileges are required, and no user interaction is needed to exploit the vulnerability. This results in a low impact on confidentiality, as unauthorized users may gain access to Predefined Properties.

Risk & Impact Analysis

Risk to organizations includes unauthorized access to sensitive configuration data, which can lead to further exploitation or data breaches. The potential blast radius is significant, especially for organizations that rely on Pimcore for managing critical data. Organizations should prioritize patching immediately to mitigate these risks.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The affected versions of the Pimcore Admin Classic Bundle are versions prior to 2.2.3 and 1.7.16. Organizations should ensure that they have upgraded to the patched versions to mitigate this vulnerability.

Mitigation & Remediation

To mitigate this vulnerability, organizations should upgrade to the fixed versions of the Pimcore Admin Classic Bundle: 2.2.3 and 1.7.16. If immediate patching is not possible, organizations should implement strict access controls to limit backend user permissions and monitor API access closely.

Detection Guidance

Organizations should monitor logs for any unauthorized access attempts to the API endpoint for Predefined Properties. Behavioral anomalies, such as unexpected API calls from authenticated users, should also be investigated.

AppSecure Threat Intelligence Insight

The long-term significance of this vulnerability highlights the importance of robust access control mechanisms in application security. Organizations should conduct regular security assessments, including application security assessments and ensure that their development teams are trained in secure coding practices.

Additionally, organizations are encouraged to consider proactive measures such as red teaming services to simulate real-world attacks and identify potential weaknesses in their security posture.

Lastly, integrating penetration testing into the security strategy can greatly enhance an organization's ability to detect and remediate vulnerabilities before they can be exploited.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-23495: Medium Vulnerability in Pimcore Admin Classic Bundle