SB2026062994 - Multiple vulnerabilities in Pimcore Studio Backend bundle
Published: June 29, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Improper Authorization (CVE-ID: CVE-2026-55212)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to improper authorization in the Studio API class definition creation endpoint when handling class definition creation requests. A remote user can send a crafted request to create class definitions and escalate privileges.
The issue affects authenticated users with the standard objects permission, even though the operation should be restricted to class-management functionality.
2) SQL injection (CVE-ID: CVE-2026-55208)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information from the database.
The vulnerability exists due to SQL injection in the DateFilter column key parameter in listing filters and the Note FilterService when handling crafted columnFilters input in affected listing endpoints. A remote user can send a specially crafted request with a malicious column key to disclose sensitive information from the database.
The issue is exploitable through time-based blind SQL injection and can be used to extract data such as admin password hashes, password recovery tokens, session data, and other database content one character at a time.
3) Weak Password Recovery Mechanism for Forgotten Password (CVE-ID: CVE-2026-55207)
CWE-ID: CWE-640 - Weak password recovery mechanism
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to hijack an administrator account and bypass two-factor authentication.
The vulnerability exists due to a weak password recovery mechanism in the reset password endpoint and token-based login flow when processing a password reset request with an attacker-controlled reset URL and a victim later follows the emailed link. A remote attacker can submit a password reset request that causes a valid recovery token to be sent to an attacker-controlled server to hijack an administrator account and bypass two-factor authentication.
User interaction is required because the victim must click a legitimate password reset link delivered by the application.
Remediation
Install update from vendor's website.