PatchSiren cyber security CVE debrief
CVE-2026-45704 pimcore CVE debrief
CVE-2026-45704 is a high-severity vulnerability in Pimcore's CustomReports feature, allowing low-privileged backend users with reports permission to access unshared reports, potentially exposing sensitive data such as report names, grouping information, display and icon metadata, data source configurations, column configurations, and sharing settings. This issue is fixed in versions 11.5.17 (LTS) and 12.3.6. Affected Pimcore users should apply patches immediately and review backend user permissions.
- Vendor
- pimcore
- Product
- Unknown
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Pimcore users with CustomReports enabled, especially those with low-privileged backend access, should be aware of this vulnerability and take immediate action to patch. Operators of Pimcore deployments, platform administrators, vulnerability management teams, and security teams should review the vulnerability details and apply necessary mitigations.
Technical summary
The vulnerability exists due to inconsistent authorization between the report listing endpoint and the report detail endpoint in Pimcore's CustomReports feature. This allows a low-privileged backend user with reports permission to directly request an unshared report by name and read sensitive information, including report names, grouping information, display and icon metadata, data source configurations, column configurations, and sharing settings. The issue is fixed in versions 11.5.17 (LTS) and 12.3.6. Affected Pimcore users should apply patches immediately and review backend user permissions to prevent potential sensitive data exposure. It is essential to verify Pimcore version and CustomReports feature usage, review report access logs for potential exploitation, and implement compensating controls for exposed systems.
Defensive priority
High priority due to potential for sensitive data exposure
Recommended defensive actions
- Apply patches 11.5.17 (LTS) or 12.3.6 immediately
- Review and restrict backend user permissions for CustomReports
- Monitor for suspicious report access attempts
- Verify Pimcore version and CustomReports feature usage
- Review report access logs for potential exploitation
- Implement compensating controls for exposed systems
- Track exceptions and retest remediated assets
Evidence notes
The CVE record was published on 2026-07-17T20:17:18.267Z and has not been modified since then. The NVD entry is currently 7.1 HIGH. Official patches and advisories are available. Evidence limits suggest verifying Pimcore version and CustomReports feature usage. Defensive verification tasks include reviewing report access logs and ensuring backend user permissions are restricted.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T20:17:18.267Z and has not been modified since then. The NVD entry is currently 7.1 HIGH.