PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45260 pimcore CVE debrief

CVE-2026-45260 is a high-severity vulnerability in Pimcore's WebDAV asset endpoint. Prior to versions 11.5.17 (LTS) and 12.3.7, the endpoint exposes a MOVE operation without an authentication plugin, allowing unauthorized asset deletion, moves, or overwrites. This could lead to data loss or corruption. The issue is fixed in versions 11.5.17 (LTS) and 12.3.7. Users of Pimcore, especially those using WebDAV asset endpoints, should be aware of this vulnerability and take steps to mitigate it. The vulnerability exists due to the lack of authentication checks in bundles/CoreBundle/src/Controller/WebDavController.php and models/Asset/WebDAV/Tree.php before performing asset mutation and deletion through models/Asset.php.

Vendor
pimcore
Product
Unknown
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of Pimcore, especially those using WebDAV asset endpoints, should be aware of this vulnerability and take steps to mitigate it. This includes administrators, security teams, and developers who work with Pimcore. They should review the official advisory and take steps to update Pimcore to versions 11.5.17 (LTS) or 12.3.7, or later. Additionally, they should restrict access to the WebDAV asset endpoint and monitor for suspicious activity.

Technical summary

The vulnerability exists in Pimcore's WebDAV asset endpoint, specifically in the /asset/webdav{path} path. The MOVE operation is exposed without an authentication plugin, allowing unauthorized asset deletion, moves, or overwrites. This is due to the lack of authentication checks in bundles/CoreBundle/src/Controller/WebDavController.php and models/Asset/WebDAV/Tree.php before performing asset mutation and deletion through models/Asset.php. The issue is fixed in versions 11.5.17 (LTS) and 12.3.7.

Defensive priority

High priority should be given to updating Pimcore to versions 11.5.17 (LTS) or 12.3.7, or later. Additionally, defenders should review and restrict access to the WebDAV asset endpoint, monitor for suspicious activity, and review compensating controls for exposed systems.

Recommended defensive actions

  • Update Pimcore to version 11.5.17 (LTS) or 12.3.7, or later
  • Review and restrict access to the WebDAV asset endpoint
  • Monitor for suspicious activity on the WebDAV asset endpoint
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-17T20:17:16.857Z and has not been modified since then. The NVD entry is currently 8.1 HIGH. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The WebDAV asset endpoint exposure allows unauthorized asset deletion, moves, or overwrites, which could lead to data loss or corruption. Users should review the official advisory and take steps to mitigate the vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T20:17:16.857Z and has not been modified since then.