CVE-2026-45162

HIGHPre-NVD 8.08.0

8.0

Pimcore has Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction

GM-374

Summary

Multiple locations in Pimcore v11 call PHP's unserialize() on data from database columns and filesystem files without the allowed_classes restriction, enabling object injection if an attacker can control the serialized data source.

Affected Component

Package: pimcore/pimcore and pimcore/admin-ui-classic-bundle
Files:
lib/Tool/Authentication.php (line 82) — session token deserialization
models/Site/Dao.php (line 68) — site domains from database
models/DataObject/ClassDefinition/CustomLayout/Dao.php (line 69) — layout definitions from database
models/Tool/TmpStore/Dao.php (line 64) — temporary store data from database
models/Asset/WebDAV/Service.php (line 36) — delete log from filesystem
admin-ui-classic-bundle/src/Helper/Dashboard.php (line 64) — dashboard config from filesystem

Description

Six locations in Pimcore core call unserialize() directly (bypassing Tool\Serialize) on data sourced from database columns or filesystem files without passing the allowed_classes parameter. This means any class available in the autoloader will be instantiated during deserialization.

If an attacker can write to the data source (e.g., via SQL injection targeting the tmp_store, sites, or custom_layouts tables, or via a file write vulnerability targeting the WebDAV delete log), they can inject serialized PHP gadget chains that execute arbitrary code when the data is deserialized.

This is related to but distinct from the Tool\Serialize::unserialize() issue — these calls bypass the wrapper entirely.

Impact

PHP object injection leading to Remote Code Execution when chained with a data source write vulnerability. Pimcore's dependency tree (Guzzle, Symfony, Monolog, Doctrine) provides numerous known gadget chains.

Proof of Concept

Identify a writable data source (e.g., tmp_store table via SQL injection, or webdav-delete.dat via file write)
Write a serialized PHP gadget chain (e.g., Monolog BufferHandler chain from phpggc)
Trigger the deserialization (e.g., access a page that reads TmpStore, or trigger a WebDAV operation)
The gadget chain executes with web server privileges

Suggested Fix

Add allowed_classes parameter to all unserialize() calls. Where no objects are needed, use ['allowed_classes' => false]. Consider migrating to JSON serialization for data that doesn't require object preservation.

// Example fix for Site/Dao.php:
$siteDomains = unserialize($site['domains'], ['allowed_classes' => false]);// Example fix for TmpStore/Dao.php:
$item['data'] = unserialize($item['data'], ['allowed_classes' => false]);

Resources

CWE-502: Deserialization of Untrusted Data
OWASP Deserialization Cheat Sheet
phpggc: PHP Generic Gadget Chains

CVSS v3: 8.0
EG Score: 8.0(low)
EPSS: —
KEV: Not listed

Published

May 27, 2026

Last Modified

May 27, 2026

Vendor Advisories for CVE-2026-45162(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

GHSA-36fc-7wjg-mfvj
GitHub Security AdvisoriesHigh
Pimcore has Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction

Data Freshness Timeline

(refreshed 1× in last 7d / 1× in last 30d)

Every time one of our enrichment pipelines (NVD, MITRE cvelistV5, EPSS, CISA KEV, GHSA, OSV, vendor advisories) ran against this CVE. Most recent first.

2026-05-27 17:35 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-45162?

CVE-2026-45162 is a high vulnerability published on May 27, 2026. Pimcore has Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction GM-374 Summary Multiple locations in Pimcore v11 call PHP's unserialize() on data from database columns and filesystem files without the allowed_classes restriction, enabling object injection if an…

When was CVE-2026-45162 disclosed?

CVE-2026-45162 was first published in the National Vulnerability Database on May 27, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

What is the CVSS score of CVE-2026-45162?

CVE-2026-45162 has a CVSS v3 base score of 8.0 (NVD). The EG score is currently aggregating — additional source signals are being incorporated as they become available..

How do I remediate CVE-2026-45162?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-45162, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-45162

Explore →

Is Your Infrastructure Affected by CVE-2026-45162?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs