Skip to content

Pimcore

v2026.1.3 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 15d Data Warehouses & Analytics
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 2 known CVEs

Topics

cdp cms cms-framework customer-data-platform dam data-management
+13 more
digital-platform ecommerce ecommerce-platform experience-manager master-data-management mdm online-shop pim pimcore product-information-management product-management shop wcms

Affected surfaces

auth rbac

Summary

AI summary

Add permission check for view access in Word Export TranslationController and harden unserializer.

Changes in this release

Security Medium

Improve Composite Index in ClassDefinition

Improve Composite Index in ClassDefinition

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Security Medium

Add permission check for view access in Word Export TranslationController

Add permission check for view access in Word Export TranslationController

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Security Medium

Harden unserializer and refine allowed classes

Harden unserializer and refine allowed classes

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Security Medium

Enhance Authorization in WebDAV MOVE via unchecked asset move handling

Enhance Authorization in WebDAV MOVE via unchecked asset move handling

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Feature Medium

Prefer storage-reported MIME type after asset write (fallback to stream sniffing)

Prefer storage-reported MIME type after asset write (fallback to stream sniffing)

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Feature Medium

Rename update guide from V12 to V13 to V12 to V2026

Rename update guide from V12 to V13 to V12 to V2026

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Deprecation Medium

Deprecate overriding configureContainer/configureRoutes

Deprecate overriding configureContainer/configureRoutes

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Bugfix Medium

Decouple InstallerKernel from MicroKernelTrait private API

Decouple InstallerKernel from MicroKernelTrait private API

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Bugfix Medium

Improve memory usage in asset custom settings migration

Improve memory usage in asset custom settings migration

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Bugfix Medium

Error message "Cannot traverse an already closed generator" fixed when moving folder with assets

Error message "Cannot traverse an already closed generator" fixed when moving folder with assets

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Bugfix Medium

Admin translations not cleaned up in 2026 are now cleaned up

Admin translations not cleaned up in 2026 are now cleaned up

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Bugfix Medium

Fix Pimcore version in upgrade docs

Fix Pimcore version in upgrade docs

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Full changelog

What's Changed

  • Rename update guide from V12 to V13 to V12 to V2026 by @jdreesen in https://github.com/pimcore/pimcore/pull/19105
  • Fix Pimcore version in upgrade docs by @jdreesen in https://github.com/pimcore/pimcore/pull/19101
  • [Security]: Improve Composite Index in ClassDefnition by @kingjia90 in https://github.com/pimcore/pimcore/pull/19108
  • [Security]: Add permission check for view access in Word Export TranslationController by @kingjia90 in https://github.com/pimcore/pimcore/pull/19112
  • [Bug, InstallBundle] Decouple InstallerKernel from MicroKernelTrait private API by @mcop1 in https://github.com/pimcore/pimcore/pull/19113
  • [Deprecation, Kernel] Deprecate overriding configureContainer/configureRoutes by @mcop1 in https://github.com/pimcore/pimcore/pull/19114
  • [Security]: Harden unserializer and refine allowed classes by @kingjia90 in https://github.com/pimcore/pimcore/pull/19119
  • [Security]Enhance Authorization in WebDAV MOVE via unchecked asset move handling by @kingjia90 in https://github.com/pimcore/pimcore/pull/19120
  • Prefer storage-reported MIME type after asset write (fallback to stream sniffing) by @vrobert78 in https://github.com/pimcore/pimcore/pull/18900
  • [Bug, EC] PEES-942: Improve memory usage in asset custom settings migration by @kingjia90 in https://github.com/pimcore/pimcore/pull/19127
  • [Bug] Error message "Cannot traverse an already closed generator" pops up when moving folder with assets by @MartaMarija in https://github.com/pimcore/pimcore/pull/18968
  • [Bug]: Admin translations not cleaned up in 2026 by @robertSt7 in https://github.com/pimcore/pimcore/pull/19130

Full Changelog: https://github.com/pimcore/pimcore/compare/v2026.1.2...v2026.1.3

Security Fixes

  • Add permission check for view access in Word Export TranslationController
  • Harden unserializer and refine allowed classes
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Pimcore

Get notified when new releases ship.

Sign up free

About Pimcore

Multi-channel experience and engagement management platform.

All releases →

Related context

Beta — feedback welcome: [email protected]