Pimcore CVE-2026-45260
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
Pimcore's WebDAV asset endpoint exposes a MOVE operation through /asset/webdav{path} without adding an authentication plugin in the WebDAV controller. The Tree::move() implementation then performs asset mutation and deletion before checking a current Pimcore user or any asset permissions.
An unauthenticated remote attacker who knows two existing asset paths in the same directory can send a WebDAV MOVE request that deletes the source asset. Authenticated low-privileged users may also be able to perform unauthorized asset move or overwrite operations because the move path does not enforce rename, delete, create, or publish permissions.
Details
The route for WebDAV is globally registered and accepts arbitrary trailing paths:
# bundles/CoreBundle/config/routing.yaml
pimcore_webdav:
path: /asset/webdav{path}
defaults: { _controller: Pimcore\Bundle\CoreBundle\Controller\WebDavController::webdavAction }
requirements:
path: '.*'The controller constructs a SabreDAV server but only attaches lock and browser plugins. It does not attach an authentication plugin or perform an explicit user/session check before starting the server:
# bundles/CoreBundle/src/Controller/WebDavController.php
$publicDir = new Asset\WebDAV\Folder($homeDir);
$objectTree = new Asset\WebDAV\Tree($publicDir);
$server = new \Sabre\DAV\Server($objectTree);
$server->setBaseUri($this->generateUrl('pimcore_webdav', ['path' => '/']));
$server->addPlugin($lockPlugin);
$server->addPlugin(new \Sabre\DAV\Browser\Plugin());
$server->start();Most WebDAV file and folder operations perform permission checks through isAllowed(), but Tree::move() does not. In the overwrite path for a same-directory move, it deletes the source asset before resolving the current user:
# models/Asset/WebDAV/Tree.php
if (dirname($sourcePath) == dirname($destinationPath)) {
if ($asset = Asset::getByPath('/' . $destinationPath)) {
$sourceAsset = Asset::getByPath('/' . $sourcePath);
$asset->setData($sourceAsset->getData());
$sourceAsset->delete();
}
...
}
$user = \Pimcore\Tool\Admin::getCurrentUser();
$asset->setUserModification($user->getId());
$asset->save();Asset::delete() removes the asset without an internal permission gate:
# models/Asset.php
public function delete(bool $isNested = false): void
{
...
$this->getDao()->delete();
...
$this->deletePhysicalFile();
}Because the source asset deletion happens before $user->getId(), an unauthenticated request can still cause a deletion even if later execution fails when no current user is present.
PoC
Prerequisites:
- Pimcore 2026.1.0 with the built-in WebDAV route enabled.
- Two existing asset paths in the same directory, for example
/products/source.jpgand/products/existing.jpg. - No valid session is required for the unauthenticated deletion path.
PoC request:
MOVE /asset/webdav/products/source.jpg HTTP/1.1
Host: target.example
Destination: http://target.example/asset/webdav/products/existing.jpg
Overwrite: TResult:
The server will return an error after the deletion because Tree::move() later attempts to call $user->getId() when no current user exists. However, the source asset at /products/source.jpg has already been deleted by $sourceAsset->delete() before that failure point.
For an authenticated low-privileged backend user without sufficient asset permissions, the same request can also reach the unchecked move path and may overwrite the destination asset or move an asset without the expected per-asset permission checks.
Impact
This issue allows remote unauthorized destruction of assets when paths are known or guessable. In Pimcore deployments where assets represent product images, documents, media, or DAM-managed business content, deletion or unauthorized overwrite can cause data loss, content integrity loss, and service disruption.
AnalysisAI
{path} endpoint. The WebDAV controller never attaches an authentication plugin, and Tree::move()` deletes the source asset before resolving the current user or checking any per-asset permission, so even an unauthenticated request that errors out later still destroys the source file. A working proof-of-concept request is published in the GitHub Security Advisory (GHSA-wc7j-g8wx-m2qx); there is no CISA KEV listing and no EPSS score in the provided data, so this is not confirmed as actively exploited.
Technical ContextAI
The affected component (CPE pkg:composer/pimcore_pimcore) is Pimcore's asset WebDAV interface, which is used to expose the DAM asset tree to WebDAV clients such as Photoshop or Windows Explorer. The route pimcore_webdav is globally registered in bundles/CoreBundle/config/routing.yaml with path: .*, so it accepts any trailing asset path. The controller builds a SabreDAV \Sabre\DAV\Server but only adds the lock and browser plugins - it never adds \Sabre\DAV\Auth\Plugin nor performs an explicit session/user check before $server->start(). While most file/folder operations route through isAllowed(), the Tree::move() handler in models/Asset/WebDAV/Tree.php omits those checks: on a same-directory overwrite it calls $sourceAsset->delete() (which in Asset::delete() drops the DB record and removes the physical file with no internal permission gate) and only afterward calls \Pimcore\Tool\Admin::getCurrentUser(). This is a textbook CWE-862 (Missing Authorization): a security-relevant mutation executes before authorization is established.
RemediationAI
Vendor-released patch: 12.3.7 - upgrade the pimcore/pimcore Composer package to 12.3.7 or later, which adds an up-front authenticated-user check (throwing Sabre Forbidden when no current user exists) and enforces create, publish, and delete permissions in Tree::move() before any deletion occurs (see PR https://github.com/pimcore/pimcore/pull/19120 and commit 9d7c77fd9b19fa011ce470de95d4438e65007d99). If you cannot upgrade immediately, the most effective compensating control is to block or remove access to the WebDAV route: restrict or deny /asset/webdav at the reverse proxy / web server (or disable the pimcore_webdav route), accepting the trade-off that WebDAV-based asset access for legitimate desktop clients (e.g., Photoshop, Explorer mounts) will stop working. As a narrower mitigation, place the endpoint behind a network ACL or VPN so only trusted internal clients can reach it, reducing the unauthenticated remote exposure while preserving internal use. Refer to the advisory at https://github.com/pimcore/pimcore/security/advisories/GHSA-wc7j-g8wx-m2qx for authoritative guidance.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-wc7j-g8wx-m2qx