{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/pimcore-customreports/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Pimcore CustomReports"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","defense-evasion","web-application"],"_cs_type":"advisory","_cs_vendors":["pimcore"],"content_html":"\u003cp\u003ePimcore\u0026rsquo;s CustomReports utilizes inconsistent authorization between the report listing endpoint and the report detail endpoint. The report listing flow filters reports based on report-sharing rules, while the detail flow only checks for generic \u003ccode\u003ereports\u003c/code\u003e or \u003ccode\u003ereports_config\u003c/code\u003e permissions. As a result, a low-privileged backend user who has been granted the \u003ccode\u003ereports\u003c/code\u003e permission, but not explicitly granted access to a specific report, can still read that report directly by name, even if the report does not appear in the user\u0026rsquo;s visible report list. The vulnerability resides within the CustomReports bundle and affects Pimcore instances where custom reports with restricted access are in use. This vulnerability allows unauthorized access to sensitive report metadata.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates as a low-privileged backend user with the \u003ccode\u003ereports\u003c/code\u003e permission.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to list available custom reports via the designated endpoint.\u003c/li\u003e\n\u003cli\u003eThe server filters the list of reports based on sharing rules, excluding reports not explicitly shared with the user.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target report name through reconnaissance or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a direct request to the report detail endpoint, specifying the target report name.\u003c/li\u003e\n\u003cli\u003eThe server checks only for generic \u003ccode\u003ereports\u003c/code\u003e permissions, bypassing the sharing rules enforced in the listing endpoint.\u003c/li\u003e\n\u003cli\u003eThe server retrieves and returns the report configuration to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive report metadata, including report name, data source configuration, and sharing settings.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthorized access to sensitive report metadata, including the report name, grouping information, display and icon metadata, data source configuration, column configuration, and sharing settings. This can lead to information disclosure and potentially further unauthorized actions, depending on the content of the reports. The source code suggests that other report endpoints like \u003ccode\u003edata\u003c/code\u003e, \u003ccode\u003echart\u003c/code\u003e, \u003ccode\u003ecreate-csv\u003c/code\u003e, and \u003ccode\u003edownload-csv\u003c/code\u003e might also be vulnerable due to similar resolution-by-name mechanisms.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Pimcore CustomReports Share Bypass\u003c/code\u003e to your SIEM to identify requests to the report detail endpoint (\u003ccode\u003egetAction\u003c/code\u003e) for reports that are not listed as accessible to the user.\u003c/li\u003e\n\u003cli\u003eReview and audit all custom report sharing configurations to ensure proper access controls are in place.\u003c/li\u003e\n\u003cli\u003eInvestigate other potentially vulnerable report endpoints, such as \u003ccode\u003edata\u003c/code\u003e, \u003ccode\u003echart\u003c/code\u003e, \u003ccode\u003ecreate-csv\u003c/code\u003e, and \u003ccode\u003edownload-csv\u003c/code\u003e, for similar access control bypass issues.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T22:35:24Z","date_published":"2026-05-27T22:35:24Z","id":"https://feed.craftedsignal.io/briefs/2026-05-pimcore-report-bypass/","summary":"Pimcore's CustomReports feature has a share bypass vulnerability due to inconsistent authorization checks between the report listing endpoint and the report detail endpoint, allowing low-privileged users to access report configurations without explicit sharing permissions.","title":"Pimcore CustomReports Share Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-pimcore-report-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Pimcore CustomReports","version":"https://jsonfeed.org/version/1.1"}