CVE-2026-45260
Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling
CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
0th
Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.7, Pimcore's WebDAV asset endpoint exposes a MOVE operation through /asset/webdav{path} without an authentication plugin in bundles/CoreBundle/src/Controller/WebDavController.php, and models/Asset/WebDAV/Tree.php performs asset mutation and deletion through models/Asset.php before checking a current Pimcore user or the rename, delete, create, or publish permissions, allowing unauthorized asset deletion, moves, or overwrites. This issue is fixed in versions 11.5.17 (LTS) and 12.3.7.
| CWE | CWE-862 |
| Vendor | pimcore |
| Product | pimcore |
| Published | Jul 17, 2026 |
Stay Ahead of the Next One
Get instant alerts for pimcore pimcore
Be the first to know when new high vulnerabilities affecting pimcore pimcore are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High
Affected Versions
pimcore / pimcore
< 11.5.17 >= 12.0.0, < 12.3.7
References
github.com: https://github.com/pimcore/pimcore/security/advisories/GHSA-wc7j-g8wx-m2qx github.com: https://github.com/pimcore/pimcore/pull/19120 github.com: https://github.com/pimcore/pimcore/commit/9d7c77fd9b19fa011ce470de95d4438e65007d99 github.com: https://github.com/pimcore/pimcore/releases/tag/v12.3.7