CVE-2026-23494 – This CVE describes an authorization bypass vuln... (How to Fix)

Q: What is the severity of CVE-2026-23494?

CVE-2026-23494 has a CVSS score of 4.3 (MEDIUM). This CVE describes an authorization bypass vulnerability in Pimcore's API endpoint for static routes. Authenticated backend users without proper permissions can access sensitive route configurations, potentially exposing custom URL patterns and controller details. This affects Pimcore installations prior to versions 12.3.1 and 11.5.14.

📋 TL;DR

This CVE describes an authorization bypass vulnerability in Pimcore's API endpoint for static routes. Authenticated backend users without proper permissions can access sensitive route configurations, potentially exposing custom URL patterns and controller details. This affects Pimcore installations prior to versions 12.3.1 and 11.5.14.

💻 Affected Systems

Products:

Pimcore

Versions: All versions prior to 12.3.1 and 11.5.14

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated backend user access. Static routes configured via backend interface or var/config/staticroutes.php file.

📦 What is this software?

Pimcore by Pimcore

View all CVEs affecting Pimcore →

Pimcore by Pimcore

View all CVEs affecting Pimcore →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could map internal application structure, discover hidden endpoints, and potentially chain with other vulnerabilities to gain unauthorized access to sensitive functionality.

🟠

Likely Case

Information disclosure of custom route configurations, potentially revealing internal application architecture and sensitive path patterns.

🟢

If Mitigated

Minimal impact with proper authorization controls and network segmentation limiting access to backend interfaces.

🌐 Internet-Facing: MEDIUM - Requires authenticated backend access, but internet-facing admin interfaces increase exposure.

🏢 Internal Only: MEDIUM - Internal attackers with backend access could exploit this to gather reconnaissance information.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated backend access and involves simple API calls to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.3.1 or 11.5.14

Vendor Advisory: https://github.com/pimcore/pimcore/security/advisories/GHSA-m3r2-724c-pwgf

Restart Required: No

Instructions:

1. Update Pimcore to version 12.3.1 (for v12) or 11.5.14 (for v11). 2. Verify the update completed successfully. 3. Test API endpoint authorization controls.

🔧 Temporary Workarounds

Restrict Backend Access

all

Limit access to backend interfaces to authorized personnel only using network controls.

API Endpoint Restriction

all

Implement web application firewall rules to block unauthorized access to /api/static-routes endpoint.

🧯 If You Can't Patch

Implement strict access controls for backend users and review user permissions regularly.
Monitor API access logs for unauthorized requests to static routes endpoint.

🔍 How to Verify

Check if Vulnerable:

Check Pimcore version via admin interface or by examining the installation directory. Versions below 12.3.1 (for v12) or 11.5.14 (for v11) are vulnerable.

Check Version:

Check Pimcore version in admin dashboard or via composer show pimcore/pimcore

Verify Fix Applied:

After updating, test API endpoint access with a low-privilege backend user account to ensure proper authorization checks are enforced.

📡 Detection & Monitoring

Log Indicators:

Unauthorized GET requests to /api/static-routes endpoint
Multiple failed authorization attempts for static routes API

Network Indicators:

Unusual API traffic patterns to static routes endpoint from unauthorized users

SIEM Query:

source="pimcore" AND (uri_path="/api/static-routes" OR endpoint="static-routes") AND user_role!="admin"

📊 Metadata

CVE ID: CVE-2026-23494

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-284

EPSS Score: 0% exploit probability (0th percentile)

Published: January 15, 2026

Last Updated: January 20, 2026

🔗 References

https://github.com/pimcore/pimcore/pull/18893 Issue Tracking
https://github.com/pimcore/pimcore/releases/tag/v11.5.14 Release Notes
https://github.com/pimcore/pimcore/releases/tag/v12.3.1 Release Notes
https://github.com/pimcore/pimcore/security/advisories/GHSA-m3r2-724c-pwgf Exploit,Vendor Advisory
https://github.com/pimcore/pimcore/security/advisories/GHSA-m3r2-724c-pwgf Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23494, you might also want to check these: