CVE-2026-45260: Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling
Pimcore’s WebDAV asset endpoint exposes a MOVE operation through /asset/webdav{path} without adding an authentication plugin in the WebDAV controller. The Tree::move() implementation then performs asset mutation and deletion before checking a current Pimcore user or any asset permissions.
An unauthenticated remote attacker who knows two existing asset paths in the same directory can send a WebDAV MOVE request that deletes the source asset. Authenticated low-privileged users may also be able to perform unauthorized asset move or overwrite operations because the move path does not enforce rename, delete, create, or publish permissions.
References
- github.com/advisories/GHSA-wc7j-g8wx-m2qx
- github.com/pimcore/pimcore/commit/9d7c77fd9b19fa011ce470de95d4438e65007d99
- github.com/pimcore/pimcore/pull/19120
- github.com/pimcore/pimcore/releases/tag/v12.3.7
- github.com/pimcore/pimcore/security/advisories/GHSA-wc7j-g8wx-m2qx
- nvd.nist.gov/vuln/detail/CVE-2026-45260
Code Behaviors & Features
Detect and mitigate CVE-2026-45260 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →