Pimcore Customer Data Framework Improper Access Control allows unprivileged user to access GDPR extracts
Description
CVE-2024-21667: Missing access control in Pimcore CMF GDPR endpoint allows unauthenticated access to customer PII.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2024-21667: Missing access control in Pimcore CMF GDPR endpoint allows unauthenticated access to customer PII.
Vulnerability
The Customer Management Framework (CMF) for Pimcore contains an improper access control vulnerability in the /admin/customermanagementframework/gdpr-data/search-data-objects endpoint. The searchDataObjectsAction method in GDPRDataController.php does not enforce permission checks, allowing any authenticated user to query the endpoint and retrieve customer data [1], [3]. This occurs because the controller lacks a checkPermission call that would normally restrict access to users with the gdpr_data_extractor permission [4].
Exploitation
An attacker with a valid, unprivileged account (e.g., a user assigned a role with no permissions) can directly access the endpoint by making a GET request with optional query parameters (id, firstname, lastname, email, page, limit) [3]. The vulnerability requires prior authentication but no special privileges beyond a basic user account. The attacker can enumerate customer records by modifying the query parameters, leading to systematic extraction of PII.
Impact
An unauthorized user can access personally identifiable information (PII) of customers managed by the CMF, including but not limited to names, email addresses, and other sensitive data [1], [3]. This exposure violates data protection requirements and can lead to privacy breaches, regulatory fines, and reputational damage.
Mitigation
The vulnerability has been patched in version 4.0.6 of the pimcore/customer-data-framework package [1]. The fix adds a checkPermission('gdpr_data_extractor') call in the onKernelControllerEvent method of the controller, ensuring that only users with the appropriate permission can access the endpoint [4]. Administrators should immediately upgrade to version 4.0.6 or later. Note that this OSS repository has been archived and the community-supported version is EOL; users are advised to migrate to the Pimcore Enterprise Edition for continued support [2].
- NVD - CVE-2024-21667
- GitHub - pimcore/customer-data-framework: Customer Data Framework community bundle adds capability for management of customer data to Pimcore.
- Improper Access Control allows unprivileged user to access GDPR extracts
- [Bug]: Fix GDPR search-data-objects permission (#525) · pimcore/customer-data-framework@6c34515
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pimcore/customer-management-framework-bundlePackagist | < 4.0.6 | 4.0.6 |
Affected products
2- pimcore/customer-data-frameworkv5Range: < 4.0.6
Patches
16c34515be2ba[Bug]: Fix GDPR search-data-objects permission (#525)
1 file changed · +8 −1
src/Controller/Admin/GDPRDataController.php+8 −1 modified@@ -16,22 +16,29 @@ namespace CustomerManagementFrameworkBundle\Controller\Admin; use CustomerManagementFrameworkBundle\GDPR\DataProvider\Customers; +use Pimcore\Controller\KernelControllerEventInterface; use Pimcore\Controller\Traits\JsonHelperTrait; use Pimcore\Controller\UserAwareController; use Pimcore\Model\DataObject\AbstractObject; use Symfony\Component\HttpFoundation\JsonResponse; use Symfony\Component\HttpFoundation\Request; +use Symfony\Component\HttpKernel\Event\ControllerEvent; use Symfony\Component\Routing\Annotation\Route; /** * Class DataObjectController * * @Route("/gdpr-data") */ -class GDPRDataController extends UserAwareController +class GDPRDataController extends UserAwareController implements KernelControllerEventInterface { use JsonHelperTrait; + public function onKernelControllerEvent(ControllerEvent $event): void + { + $this->checkPermission('gdpr_data_extractor'); + } + /** * @Route("/search-data-objects", name="_pimcore_customermanagementframework_gdprdata_searchdataobjects", methods={"GET"}) */
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-g273-wppx-82w4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-21667ghsaADVISORY
- github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/GDPRDataController.phpghsax_refsource_MISCWEB
- github.com/pimcore/customer-data-framework/commit/6c34515be2ba39dceee7da07a1abf246309ccd77ghsax_refsource_MISCWEB
- github.com/pimcore/customer-data-framework/security/advisories/GHSA-g273-wppx-82w4ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.