GHSA-36FC-7WJG-MFVJ
Vulnerability from github – Published: 2026-05-27 16:57 – Updated: 2026-07-10 19:07GitHub Security Advisory Draft — GM-374
Summary
Multiple locations in Pimcore v11 call PHP's unserialize() on data from database columns and filesystem files without the allowed_classes restriction, enabling object injection if an attacker can control the serialized data source.
Severity
CVSS 3.1: 8.0 (High) — AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Affected Component
- Package:
pimcore/pimcoreandpimcore/admin-ui-classic-bundle - Files:
lib/Tool/Authentication.php(line 82) — session token deserializationmodels/Site/Dao.php(line 68) — site domains from databasemodels/DataObject/ClassDefinition/CustomLayout/Dao.php(line 69) — layout definitions from databasemodels/Tool/TmpStore/Dao.php(line 64) — temporary store data from databasemodels/Asset/WebDAV/Service.php(line 36) — delete log from filesystemadmin-ui-classic-bundle/src/Helper/Dashboard.php(line 64) — dashboard config from filesystem
Description
Six locations in Pimcore core call unserialize() directly (bypassing Tool\Serialize) on data sourced from database columns or filesystem files without passing the allowed_classes parameter. This means any class available in the autoloader will be instantiated during deserialization.
If an attacker can write to the data source (e.g., via SQL injection targeting the tmp_store, sites, or custom_layouts tables, or via a file write vulnerability targeting the WebDAV delete log), they can inject serialized PHP gadget chains that execute arbitrary code when the data is deserialized.
This is related to but distinct from the Tool\Serialize::unserialize() issue — these calls bypass the wrapper entirely.
Impact
PHP object injection leading to Remote Code Execution when chained with a data source write vulnerability. Pimcore's dependency tree (Guzzle, Symfony, Monolog, Doctrine) provides numerous known gadget chains.
Proof of Concept
- Identify a writable data source (e.g.,
tmp_storetable via SQL injection, orwebdav-delete.datvia file write) - Write a serialized PHP gadget chain (e.g., Monolog
BufferHandlerchain from phpggc) - Trigger the deserialization (e.g., access a page that reads TmpStore, or trigger a WebDAV operation)
- The gadget chain executes with web server privileges
Suggested Fix
Add allowed_classes parameter to all unserialize() calls. Where no objects are needed, use ['allowed_classes' => false]. Consider migrating to JSON serialization for data that doesn't require object preservation.
// Example fix for Site/Dao.php:
$siteDomains = unserialize($site['domains'], ['allowed_classes' => false]);
// Example fix for TmpStore/Dao.php:
$item['data'] = unserialize($item['data'], ['allowed_classes' => false]);
References
- CWE-502: Deserialization of Untrusted Data
- OWASP Deserialization Cheat Sheet
- phpggc: PHP Generic Gadget Chains
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 12.3.6"
},
"package": {
"ecosystem": "Packagist",
"name": "pimcore/pimcore"
},
"ranges": [
{
"events": [
{
"introduced": "12.0.0-RC1"
},
{
"fixed": "12.3.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 11.5.16"
},
"package": {
"ecosystem": "Packagist",
"name": "pimcore/pimcore"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.5.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "pimcore/pimcore"
},
"ranges": [
{
"events": [
{
"introduced": "2026.1.0"
},
{
"fixed": "2026.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45162"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-27T16:57:04Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "# GitHub Security Advisory Draft \u2014 GM-374\n\n## Summary\nMultiple locations in Pimcore v11 call PHP\u0027s `unserialize()` on data from database columns and filesystem files without the `allowed_classes` restriction, enabling object injection if an attacker can control the serialized data source.\n\n## Severity\nCVSS 3.1: 8.0 (High) \u2014 AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\n\n## Affected Component\n- **Package:** `pimcore/pimcore` and `pimcore/admin-ui-classic-bundle`\n- **Files:**\n - `lib/Tool/Authentication.php` (line 82) \u2014 session token deserialization\n - `models/Site/Dao.php` (line 68) \u2014 site domains from database\n - `models/DataObject/ClassDefinition/CustomLayout/Dao.php` (line 69) \u2014 layout definitions from database\n - `models/Tool/TmpStore/Dao.php` (line 64) \u2014 temporary store data from database\n - `models/Asset/WebDAV/Service.php` (line 36) \u2014 delete log from filesystem\n - `admin-ui-classic-bundle/src/Helper/Dashboard.php` (line 64) \u2014 dashboard config from filesystem\n\n## Description\nSix locations in Pimcore core call `unserialize()` directly (bypassing `Tool\\Serialize`) on data sourced from database columns or filesystem files without passing the `allowed_classes` parameter. This means any class available in the autoloader will be instantiated during deserialization.\n\nIf an attacker can write to the data source (e.g., via SQL injection targeting the `tmp_store`, `sites`, or `custom_layouts` tables, or via a file write vulnerability targeting the WebDAV delete log), they can inject serialized PHP gadget chains that execute arbitrary code when the data is deserialized.\n\nThis is related to but distinct from the `Tool\\Serialize::unserialize()` issue \u2014 these calls bypass the wrapper entirely.\n\n## Impact\nPHP object injection leading to Remote Code Execution when chained with a data source write vulnerability. Pimcore\u0027s dependency tree (Guzzle, Symfony, Monolog, Doctrine) provides numerous known gadget chains.\n\n## Proof of Concept\n1. Identify a writable data source (e.g., `tmp_store` table via SQL injection, or `webdav-delete.dat` via file write)\n2. Write a serialized PHP gadget chain (e.g., Monolog `BufferHandler` chain from phpggc)\n3. Trigger the deserialization (e.g., access a page that reads TmpStore, or trigger a WebDAV operation)\n4. The gadget chain executes with web server privileges\n\n## Suggested Fix\nAdd `allowed_classes` parameter to all `unserialize()` calls. Where no objects are needed, use `[\u0027allowed_classes\u0027 =\u003e false]`. Consider migrating to JSON serialization for data that doesn\u0027t require object preservation.\n\n```php\n// Example fix for Site/Dao.php:\n$siteDomains = unserialize($site[\u0027domains\u0027], [\u0027allowed_classes\u0027 =\u003e false]);\n\n// Example fix for TmpStore/Dao.php:\n$item[\u0027data\u0027] = unserialize($item[\u0027data\u0027], [\u0027allowed_classes\u0027 =\u003e false]);\n```\n\n## References\n- CWE-502: Deserialization of Untrusted Data\n- OWASP Deserialization Cheat Sheet\n- phpggc: PHP Generic Gadget Chains",
"id": "GHSA-36fc-7wjg-mfvj",
"modified": "2026-07-10T19:07:27Z",
"published": "2026-05-27T16:57:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-36fc-7wjg-mfvj"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/pull/19119"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/commit/4788bf3a3a7f2f760a8fe61e522565941e154e1e"
},
{
"type": "PACKAGE",
"url": "https://github.com/pimcore/pimcore"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/releases/tag/v12.3.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Pimcore has Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.