CVE-2026-23495 – This vulnerability allows authenticated backend... (How to Fix)

Q: What is the severity of CVE-2026-23495?

CVE-2026-23495 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows authenticated backend users without proper permissions to access the complete list of Predefined Properties configurations in Pimcore's Admin Classic Bundle. It affects organizations using Pimcore with the Admin Classic Bundle for content management. The issue exposes metadata definitions that could reveal sensitive information about data structures and workflows.

📋 TL;DR

This vulnerability allows authenticated backend users without proper permissions to access the complete list of Predefined Properties configurations in Pimcore's Admin Classic Bundle. It affects organizations using Pimcore with the Admin Classic Bundle for content management. The issue exposes metadata definitions that could reveal sensitive information about data structures and workflows.

💻 Affected Systems

Products:

Pimcore Admin Classic Bundle

Versions: All versions prior to 1.7.16 and 2.2.3

Operating Systems: All platforms running Pimcore

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using the Admin Classic Bundle. Requires authenticated backend user access.

📦 What is this software?

Admin Classic Bundle by Pimcore

View all CVEs affecting Admin Classic Bundle →

Admin Classic Bundle by Pimcore

View all CVEs affecting Admin Classic Bundle →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with authenticated access could map the entire Predefined Properties configuration, potentially identifying sensitive metadata fields, understanding data structures, and planning further attacks based on exposed system information.

🟠

Likely Case

Unauthorized users within the organization could access property configurations they shouldn't see, potentially learning about sensitive data fields or proprietary metadata structures used in the platform.

🟢

If Mitigated

With proper access controls and monitoring, the impact is limited to information disclosure about metadata structures rather than actual data exposure.

🌐 Internet-Facing: MEDIUM - While the vulnerability requires authentication, internet-facing Pimcore instances could be targeted by attackers who obtain valid credentials through other means.

🏢 Internal Only: MEDIUM - Internal users with limited permissions could access property configurations beyond their authorization level, potentially enabling privilege escalation or data mapping.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Simple API call to the vulnerable endpoint

Exploitation requires authenticated access to the Pimcore backend. The vulnerability is straightforward to exploit once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.16 or 2.2.3

Vendor Advisory: https://github.com/pimcore/pimcore/security/advisories/GHSA-hqrp-m84v-2m2f

Restart Required: No

Instructions:

1. Identify your Admin Classic Bundle version. 2. Update to version 1.7.16 if using version 1.x. 3. Update to version 2.2.3 if using version 2.x. 4. Verify the update was successful by checking the bundle version.

🔧 Temporary Workarounds

Restrict API endpoint access

all

Implement network-level restrictions or web application firewall rules to limit access to the vulnerable API endpoint

Review and restrict user permissions

all

Audit and minimize backend user permissions to reduce the attack surface

🧯 If You Can't Patch

Implement strict access controls and monitor API endpoint usage
Segment network access to limit which users can reach the Pimcore backend interface

🔍 How to Verify

Check if Vulnerable:

Check if your Admin Classic Bundle version is below 1.7.16 (for 1.x) or below 2.2.3 (for 2.x)

Check Version:

Check composer.json or run: php bin/console pimcore:bundle:list | grep 'Admin Classic Bundle'

Verify Fix Applied:

Verify the bundle version shows 1.7.16 or higher for 1.x, or 2.2.3 or higher for 2.x

📡 Detection & Monitoring

Log Indicators:

Unusual API calls to property listing endpoints from users without property management permissions
Multiple rapid requests to /admin/property/predefined-properties endpoint

Network Indicators:

HTTP GET requests to property listing API endpoints from unauthorized IPs or users

SIEM Query:

source="pimcore" AND (uri_path="/admin/property/predefined-properties" OR uri_path LIKE "%/property/predefined%") AND user_role NOT IN ("property_manager", "admin")

📊 Metadata

CVE ID: CVE-2026-23495

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-284

EPSS Score: 0% exploit probability (0th percentile)

Published: January 15, 2026

Last Updated: January 30, 2026

🔗 References

https://github.com/pimcore/admin-ui-classic-bundle/commit/98095949fbeaf11cdf4cadb2989d7454e1b88909 Patch
https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.7.16 Release Notes
https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v2.2.3 Release Notes
https://github.com/pimcore/pimcore/security/advisories/GHSA-hqrp-m84v-2m2f Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23495, you might also want to check these: