CVE-2026-45704: Pimcore has a CustomReports Share Bypass
CustomReports uses inconsistent authorization between the report listing endpoint and the report detail endpoint.
- The listing flow filters reports based on report-sharing rules
- The detail flow only checks generic
reportsorreports_configpermissions
As a result, a low-privileged backend user who was not granted access to a report can still read that report directly by name even though it does not appear in the user’s visible report list.
In the local Docker reproduction:
- The report
poc-secret-reportwas not visible to the low-privileged user in the report list - The same user was still able to retrieve the report configuration directly by name
References
- github.com/advisories/GHSA-jwcc-gv4m-93x6
- github.com/pimcore/pimcore/commit/1893ff1cd116e442b995ddf17e8c6e0aa372268e
- github.com/pimcore/pimcore/pull/19099
- github.com/pimcore/pimcore/releases/tag/v12.3.6
- github.com/pimcore/pimcore/security/advisories/GHSA-jwcc-gv4m-93x6
- nvd.nist.gov/vuln/detail/CVE-2026-45704
Code Behaviors & Features
Detect and mitigate CVE-2026-45704 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →