{"id":"CVE-2026-45260","summary":"Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling","details":"Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 (LTS) and 12.3.7, Pimcore's WebDAV asset endpoint exposes a MOVE operation through /asset/webdav{path} without an authentication plugin in bundles/CoreBundle/src/Controller/WebDavController.php, and models/Asset/WebDAV/Tree.php performs asset mutation and deletion through models/Asset.php before checking a current Pimcore user or the rename, delete, create, or publish permissions, allowing unauthorized asset deletion, moves, or overwrites. This issue is fixed in versions 11.5.17 (LTS) and 12.3.7.","aliases":["GHSA-wc7j-g8wx-m2qx"],"modified":"2026-07-19T03:46:47.110563798Z","published":"2026-07-17T19:08:38.869Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-862"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45260.json","unresolved_ranges":[{"extracted_events":[{"fixed":"11.5.17"}],"source":"AFFECTED_FIELD"}]},"references":[{"type":"WEB","url":"https://github.com/pimcore/pimcore/releases/tag/v12.3.7"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45260.json"},{"type":"ADVISORY","url":"https://github.com/pimcore/pimcore/security/advisories/GHSA-wc7j-g8wx-m2qx"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45260"},{"type":"FIX","url":"https://github.com/pimcore/pimcore/commit/9d7c77fd9b19fa011ce470de95d4438e65007d99"},{"type":"FIX","url":"https://github.com/pimcore/pimcore/pull/19120"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pimcore/pimcore","events":[{"introduced":"df14e025d3db615fc75b190e3c9f3cc1d68d7304"},{"fixed":"9d7c77fd9b19fa011ce470de95d4438e65007d99"},{"fixed":"d8a4b30690369f5325879b9f969796d6a4f57fa3"}],"database_specific":{"extracted_events":[{"introduced":"12.0.0"},{"fixed":"12.3.7"}],"source":["AFFECTED_FIELD","REFERENCES"]}}],"versions":["v12.3.5","v12.3.4","v12.3.3","v12.3.2","v12.3.1.1","v12.3.1","v12.3.0","v12.2.1","v12.2.0","v12.1.0","v12.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45260.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"}]}