{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/pimcore/pimcore--12.3.6/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["pimcore/pimcore (\u003c= 12.3.6)"],"_cs_severities":["high"],"_cs_tags":["webdav","asset-management","missing-authorization","pimcore"],"_cs_type":"advisory","_cs_vendors":["Pimcore"],"content_html":"\u003cp\u003ePimcore, a PHP-based platform for managing digital data, contains a vulnerability in its WebDAV asset endpoint that allows unauthorized asset manipulation. The vulnerability, identified as CVE-2026-45260, stems from a missing authentication plugin in the WebDAV controller, specifically impacting the \u003ccode\u003eMOVE\u003c/code\u003e operation. This oversight enables unauthenticated remote attackers, who possess knowledge of two existing asset paths within the same directory, to send a crafted WebDAV request and delete the source asset. Moreover, authenticated low-privileged users can exploit this flaw to perform unauthorized asset move or overwrite operations due to the absence of proper permission checks along the move path. This can lead to data loss and service disruption. The affected versions are Pimcore 12.3.6 and earlier.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies two existing asset paths in the same directory on a Pimcore instance (e.g., \u003ccode\u003e/products/source.jpg\u003c/code\u003e and \u003ccode\u003e/products/existing.jpg\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a WebDAV \u003ccode\u003eMOVE\u003c/code\u003e request targeting the source asset (\u003ccode\u003e/products/source.jpg\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDestination\u003c/code\u003e header of the \u003ccode\u003eMOVE\u003c/code\u003e request is set to the path of the destination asset (\u003ccode\u003e/products/existing.jpg\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eOverwrite\u003c/code\u003e header is set to \u003ccode\u003eT\u003c/code\u003e, indicating that the destination asset should be overwritten if it exists.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted \u003ccode\u003eMOVE\u003c/code\u003e request to the \u003ccode\u003e/asset/webdav\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe Pimcore server receives the request and, due to the missing authentication plugin, processes it without verifying the attacker\u0026rsquo;s identity.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eTree::move()\u003c/code\u003e function is executed, which deletes the source asset (\u003ccode\u003e/products/source.jpg\u003c/code\u003e) via the \u003ccode\u003eAsset::delete()\u003c/code\u003e function \u003cem\u003ebefore\u003c/em\u003e checking for a valid user session or asset permissions.\u003c/li\u003e\n\u003cli\u003eThe server attempts to set the \u003ccode\u003euserModification\u003c/code\u003e field but fails because there\u0026rsquo;s no authenticated user, triggering an error. Despite the error, the source asset has already been deleted.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows for the unauthorized deletion of assets in Pimcore. An unauthenticated attacker can remotely delete assets if they know the paths. In Pimcore deployments where assets represent product images, documents, media, or DAM-managed business content, this deletion or unauthorized overwrite can cause data loss, content integrity loss, and service disruption. The affected package is \u003ccode\u003ecomposer/pimcore/pimcore\u003c/code\u003e in versions 12.3.6 and earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the necessary patches to upgrade Pimcore to a version greater than 12.3.6 to address CVE-2026-45260.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Pimcore WebDAV Unauthorized Asset MOVE\u0026rdquo; to identify potential exploitation attempts against the \u003ccode\u003e/asset/webdav\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for \u003ccode\u003eMOVE\u003c/code\u003e requests targeting the \u003ccode\u003e/asset/webdav\u003c/code\u003e endpoint as described in the attack chain.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T17:20:01Z","date_published":"2026-05-27T17:20:01Z","id":"https://feed.craftedsignal.io/briefs/2026-05-pimcore-webdav-asset-move/","summary":"Pimcore's WebDAV asset endpoint exposes a `MOVE` operation without authentication, allowing unauthenticated remote attackers to delete assets if they know two existing asset paths in the same directory; Authenticated low-privileged users may also be able to perform unauthorized asset move or overwrite operations because the move path does not enforce `rename`, `delete`, `create`, or `publish` permissions, leading to data loss, content integrity loss, and service disruption.","title":"Pimcore WebDAV Asset MOVE Missing Authorization Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-pimcore-webdav-asset-move/"}],"language":"en","title":"CraftedSignal Threat Feed — Pimcore/Pimcore (\u003c= 12.3.6)","version":"https://jsonfeed.org/version/1.1"}