PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45704 pimcore CVE debrief

CVE-2026-45704 is a high-severity vulnerability in Pimcore's CustomReports feature, allowing low-privileged backend users with reports permission to access unshared reports, potentially exposing sensitive data such as report names, grouping information, display and icon metadata, data source configurations, column configurations, and sharing settings. This issue is fixed in versions 11.5.17 (LTS) and 12.3.6. Affected Pimcore users should apply patches immediately and review backend user permissions.

Vendor
pimcore
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Pimcore users with CustomReports enabled, especially those with low-privileged backend access, should be aware of this vulnerability and take immediate action to patch. Operators of Pimcore deployments, platform administrators, vulnerability management teams, and security teams should review the vulnerability details and apply necessary mitigations.

Technical summary

The vulnerability exists due to inconsistent authorization between the report listing endpoint and the report detail endpoint in Pimcore's CustomReports feature. This allows a low-privileged backend user with reports permission to directly request an unshared report by name and read sensitive information, including report names, grouping information, display and icon metadata, data source configurations, column configurations, and sharing settings. The issue is fixed in versions 11.5.17 (LTS) and 12.3.6. Affected Pimcore users should apply patches immediately and review backend user permissions to prevent potential sensitive data exposure. It is essential to verify Pimcore version and CustomReports feature usage, review report access logs for potential exploitation, and implement compensating controls for exposed systems.

Defensive priority

High priority due to potential for sensitive data exposure

Recommended defensive actions

  • Apply patches 11.5.17 (LTS) or 12.3.6 immediately
  • Review and restrict backend user permissions for CustomReports
  • Monitor for suspicious report access attempts
  • Verify Pimcore version and CustomReports feature usage
  • Review report access logs for potential exploitation
  • Implement compensating controls for exposed systems
  • Track exceptions and retest remediated assets

Evidence notes

The CVE record was published on 2026-07-17T20:17:18.267Z and has not been modified since then. The NVD entry is currently 7.1 HIGH. Official patches and advisories are available. Evidence limits suggest verifying Pimcore version and CustomReports feature usage. Defensive verification tasks include reviewing report access logs and ensuring backend user permissions are restricted.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T20:17:18.267Z and has not been modified since then. The NVD entry is currently 7.1 HIGH.