Pimcore Customer Data Framework Improper Access Control allows unprivileged user to access customers duplicates list

The Customer Management Framework (CMF) for Pimcore contains an improper access control vulnerability in the /admin/customermanagementframework/duplicates/list endpoint. The DuplicatesController::listAction method does not enforce any permission checks before returning the list of potential duplicate customers and their associated data [3][4]. This root cause is visible in the controller code where no authorization annotation or manual permission verification is present [4].

To exploit this vulnerability, an authenticated user with no specific permissions—such as a role created without any privileges—can directly request the endpoint URL and receive the full duplicate analysis results [3]. The attack requires only a valid session, no special network position or elevated privileges are needed. The endpoint returns sensitive PII data of customers that the user would not normally be authorized to view [1].

An attacker exploiting this flaw can obtain personally identifiable information (PII) of all customers that have been flagged as potential duplicates by the system. This includes data aggregated by the CMF for segmentation and personalization purposes, potentially violating privacy regulations and exposing the organization to compliance risk [1][3]. The vulnerability is classified with an appropriate CVSS score reflecting the confidentiality impact.

Pimcore has patched this vulnerability in version 4.0.6 of the Customer Management Framework [1][3]. Users are strongly advised to upgrade immediately. Additionally, the GPL-licensed community version of the repository has been archived, and the supported version is now part of the Pimcore Enterprise Edition [2]. For those unable to upgrade, restricting network access to the vulnerable endpoint and enforcing role-based access controls at the web server level may serve as temporary mitigations, but upgrading is the recommended course of action.