CVE-2026-45260 is a high-severity missing authorization vulnerability in pimcore/pimcore (composer), affecting versions <= 12.3.6. It is fixed in 12.3.7.
Summary Pimcore's WebDAV asset endpoint exposes a MOVE operation through /asset/webdav{path} without adding an authentication plugin in the WebDAV controller. The Tree::move() implementation then performs asset mutation and deletion before checking a current Pimcore user or any asset permissions. An unauthenticated remote attacker who knows two existing asset paths in the same directory can send a WebDAV MOVE request that deletes the source asset. Authenticated low-privileged users may also be able to perform unauthorized asset move or overwrite operations because the move path does not enforce rename, delete, create, or publish permissions. Details The route for WebDAV is globally registered and accepts arbitrary trailing paths: The controller constructs a SabreDAV server but only attaches lock and browser plugins. It does not attach an authentication plugin or perform an explicit user/session check before starting the server: Most WebDAV file and folder operations perform permission checks through isAllowed(), but Tree::move() does not. In the overwrite path for a same-directory move, it deletes the source asset before resolving the current user: Asset::delete() removes the asset without an internal permission gate: Because the source asset deletion happens before $user->getId(), an unauthenticated request can still cause a deletion even if later execution fails when no current user is present. PoC Prerequisites: Pimcore 2026.1.0 with the built-in WebDAV route enabled. Two existing asset paths in the same directory, for example /products/source.jpg and /products/existing.jpg. No valid session is required for the unauthenticated deletion path. PoC request: Result: The server will return an error after the deletion because Tree::move() later attempts to call $user->getId() when no current user exists. However, the source asset at /products/source.jpg has already been deleted by $sourceAsset->delete() before that failure point. For an authenticated low-privileged backend user without sufficient asset permissions, the same request can also reach the unchecked move path and may overwrite the destination asset or move an asset without the expected per-asset permission checks. Impact This issue allows remote unauthorized destruction of assets when paths are known or guessable. In Pimcore deployments where assets represent product images, documents, media, or DAM-managed business content, deletion or unauthorized overwrite can cause data loss, content integrity loss, and service disruption.
The application does not perform an authorization check before performing a sensitive operation. Typical impact: unauthorized access to restricted functionality or data.
CVE-2026-45260 has a CVSS score of 8.1 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (12.3.7). Upgrading removes the vulnerable code path.
composer
pimcore/pimcore (<= 12.3.6)pimcore/pimcore → 12.3.7 (composer)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-45260 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-45260 is reachable in your applications. Get a demo
Upgrade pimcore/pimcore to 12.3.7 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-45260 is a high-severity missing authorization vulnerability in pimcore/pimcore (composer), affecting versions <= 12.3.6. It is fixed in 12.3.7. The application does not perform an authorization check before performing a sensitive operation.
CVE-2026-45260 has a CVSS score of 8.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
pimcore/pimcore (composer) versions <= 12.3.6 is affected.
Yes. CVE-2026-45260 is fixed in 12.3.7. Upgrade to this version or later.
Whether CVE-2026-45260 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade pimcore/pimcore to 12.3.7 or later.