CVE-2026-23496: Pimcore Web2Print Tools Bundle "Favourite Output Channel Configuration" Missing Function Level Authorization
The application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing “Favourite Output Channel Configurations.” Testing revealed that an authenticated backend user without explicitely lacking permissions for this feature was still able to successfully invoke the endpoint and modify or retrieve these configurations. This violates the principle of least privilege and constitutes a classic example of Broken Access Control (OWASP Top 10 A01:2021). Because authorization is not validated at the function level, any authenticated user can perform actions intended only for privileged roles, leading to horizontal or vertical privilege escalation.
References
- github.com/advisories/GHSA-4wg4-p27p-5q2r
- github.com/pimcore/pimcore
- github.com/pimcore/pimcore/security/advisories/GHSA-4wg4-p27p-5q2r
- github.com/pimcore/web2print-tools/commit/7714452a04b9f9b077752784af4b8d0b05e464a1
- github.com/pimcore/web2print-tools/pull/108
- github.com/pimcore/web2print-tools/releases/tag/v5.2.2
- github.com/pimcore/web2print-tools/releases/tag/v6.1.1
- nvd.nist.gov/vuln/detail/CVE-2026-23496
Code Behaviors & Features
Detect and mitigate CVE-2026-23496 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →