SB2026062994 - Multiple vulnerabilities in Pimcore Studio Backend bundle



SB2026062994 - Multiple vulnerabilities in Pimcore Studio Backend bundle

Published: June 29, 2026

Security Bulletin ID SB2026062994
CSH Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Improper Authorization (CVE-ID: CVE-2026-55212)

CWE-ID: CWE-285 - Improper Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper authorization in the Studio API class definition creation endpoint when handling class definition creation requests. A remote user can send a crafted request to create class definitions and escalate privileges.

The issue affects authenticated users with the standard objects permission, even though the operation should be restricted to class-management functionality.


2) SQL injection (CVE-ID: CVE-2026-55208)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information from the database.

The vulnerability exists due to SQL injection in the DateFilter column key parameter in listing filters and the Note FilterService when handling crafted columnFilters input in affected listing endpoints. A remote user can send a specially crafted request with a malicious column key to disclose sensitive information from the database.

The issue is exploitable through time-based blind SQL injection and can be used to extract data such as admin password hashes, password recovery tokens, session data, and other database content one character at a time.


3) Weak Password Recovery Mechanism for Forgotten Password (CVE-ID: CVE-2026-55207)

CWE-ID: CWE-640 - Weak password recovery mechanism

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to hijack an administrator account and bypass two-factor authentication.

The vulnerability exists due to a weak password recovery mechanism in the reset password endpoint and token-based login flow when processing a password reset request with an attacker-controlled reset URL and a victim later follows the emailed link. A remote attacker can submit a password reset request that causes a valid recovery token to be sent to an attacker-controlled server to hijack an administrator account and bypass two-factor authentication.

User interaction is required because the victim must click a legitimate password reset link delivered by the application.


Remediation

Install update from vendor's website.