HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11407Published Modified CNA VulnCheck

CVE-2026-11407: Pimcore CMS 12.3.8 Twig Sandbox Bypass via SecurityPolicy checkMethodAllowed

Pimcore CMS/DXP version 12.3.8 contains a sandbox bypass vulnerability that allows authenticated administrative attackers to execute arbitrary methods on PHP objects by exploiting empty checkMethodAllowed() and checkPropertyAllowed() implementations in the custom Twig SecurityPolicy. Attackers can supply malicious Twig templates through the DataObject ClassDefinition Layout\Text component to perform arbitrary file reads, execute arbitrary database queries, and potentially achieve remote code execution via PHP object gadget chains, with the pimcore_* function wildcard further broadening the bypass to all Pimcore Twig functions.

Metrics

CVSS v4.0
8.6
Severity
HIGH
Fixed in
fffa7f6396329e88610db70a8652529bbc734892
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a Twig sandbox bypass vulnerability in Pimcore CMS/DXP version 12.3.8 and earlier. An authenticated attacker with administrative privileges can reach the vulnerable component over the network by supplying crafted Twig templates through the DataObject ClassDefinition Layout\Text component, exploiting empty checkMethodAllowed() and checkPropertyAllowed() implementations in Pimcore's custom Twig SecurityPolicy to call arbitrary PHP object methods. Successful exploitation enables arbitrary file reads, arbitrary database query execution, and remote code execution via PHP object gadget chains. A patched-image rebuild pinned to the fix commit (fffa7f6396329e88610db70a8652529bbc734892) is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11407 is available across every HarborGuard environment, with the CVE ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Pimcore CMS/DXP. Images carrying the affected version (12.3.8 and earlier) are flagged automatically.

Available
Triage

Triage is available using the CVSS v4.0 base score of 8.6 (HIGH), surfaced alongside per-environment compliance policy weighting so teams can calibrate urgency against their own risk thresholds. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild against the upstream fix commit (fffa7f6396329e88610db70a8652529bbc734892) is available on HarborGuard for any environment running an affected Pimcore version. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Pimcore application over the network; the vulnerable template rendering endpoint is exposed via standard HTTP/HTTPS.

  • AuthenticationRequired

    An administrative account is required; the attacker must authenticate before accessing the DataObject ClassDefinition Layout editor where malicious templates can be submitted.

  • Victim interactionNot required

    No victim interaction is needed; the attacker submits the crafted Twig template directly and the payload executes server-side without any secondary user action.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and imposes no race conditions or special environmental prerequisites beyond holding an admin credential.

Blast Radius

  • Reads arbitrary files from the server filesystem, including application secrets, environment configuration files, and private keys accessible to the web process.
  • Executes arbitrary database queries against the Pimcore database, exposing or modifying stored content, user records, and application data.
  • Achieves remote code execution by chaining PHP object methods through gadget chains available in the application's dependency tree.
  • Fully compromises the integrity and confidentiality of the CMS instance, with all three impact dimensions (confidentiality, integrity, availability) rated HIGH in the CVSS v4.0 vector.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11407 is active across connected registries and pipelines, flagging any image that includes Pimcore CMS/DXP at version 12.3.8 or earlier. A patched-image rebuild pinned to fix commit fffa7f6396329e88610db70a8652529bbc734892 is available immediately. For customers who opt into auto-remediation, HarborGuard initiates the rebuild, executes a regression test run, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and a full diff are staged for reviewer sign-off. Because administrative access is the prerequisite for exploitation, customers who cannot patch immediately should consider tightening admin account controls and auditing which users hold roles that permit template editing in the DataObject ClassDefinition interface.

See how HarborGuard automates this

Fix available

fffa7f6396329e88610db70a8652529bbc734892
Patch commits
Affected packages
  • Pimcore GmbH / Pimcore CMS/DXP
    ≤ 12.3.8
    Fixed in fffa7f6396329e88610db70a8652529bbc734892
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References