CVE-2026-23493
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-15

Last updated on: 2026-01-15

Assigner: GitHub, Inc.

Description
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-15
Last Modified
2026-01-15
Generated
2026-06-16
AI Q&A
2026-01-16
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23493
EUVD
EUVD-2026-2729
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
pimcore pimcore to 11.5.14 (inc)
pimcore pimcore to 12.3.1 (inc)
pimcore pimcore to 11.5.13 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Pimcore involves the improper logging of sensitive data such as POST parameters, cookies, and server environment variables in the HTTP error log. Specifically, the http_error_log file stored contents of PHP superglobals $_COOKIE and $_SERVER, exposing sensitive information like database passwords and session cookie data through the Pimcore backend interface. The issue was caused by code that logged these sensitive variables unnecessarily. The fix removes the logging and display of these sensitive data fields from the error logs, preventing potential exposure of confidential information. [1, 3]

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive information such as database passwords and session cookies by anyone who can access the Pimcore backend error logs. Since the logs contain sensitive POST data, cookies, and server variables, an attacker could exploit this to compromise confidentiality, potentially leading to data breaches or unauthorized system access. The vulnerability can be exploited remotely without authentication or user interaction, making it a high-risk issue. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by checking the Pimcore backend for HTTP error log entries that contain sensitive data such as $_COOKIE and $_SERVER variables. Specifically, you can access the Pimcore backend, navigate to 'Search Engine Optimization' then 'HTTP Errors', and view the details of logged error entries to see if sensitive data is present. Additionally, inspecting the database table `http_error_log` for columns `parametersPost`, `cookies`, and `serverVars` and their contents can help detect if sensitive data has been logged. There are no specific command-line commands provided in the resources, but querying the database for these columns or reviewing the backend error log UI are the suggested methods. [3, 1]

Mitigation Strategies

Immediate mitigation steps include upgrading Pimcore to version 12.3.1 or 11.5.14 or later, where the vulnerability is fixed. The fix involves removing the logging of sensitive data ($_POST, $_COOKIE, $_SERVER) from the HTTP error logs. Additionally, running the provided optional database migration script to remove previously logged sensitive data from the `http_error_log` table is recommended. This update disables storage and display of sensitive information in error logs, preventing exposure. Applying the official security update and ensuring no legacy logging of sensitive data remains are the key mitigation actions. [1, 2, 4, 5]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23493. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart