Can you explain this vulnerability to me?

CVE-2026-27461 is a SQL injection vulnerability in the Pimcore platform affecting versions up to 11.5.14.1 and 12.3.2. The issue occurs because the filter query parameter in dependency listing endpoints is JSON-decoded and its value field is directly concatenated into SQL RLIKE clauses without sanitization or parameterized queries. This improper handling allows an attacker with admin panel access to inject malicious SQL code.

Specifically, the vulnerability arises in the methods getFilterRequiresByPath() and getFilterRequiredByPath() in the Dependency Dao component, where the filter value is used unsafely in SQL queries. Exploiting this requires administrative authentication.

The vulnerability enables attackers to perform SQL injection attacks such as time-based blind SQL injection and error-based data extraction, potentially allowing them to extract the entire database including password hashes of other admin users.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

[{'type': 'paragraph', 'content': 'If exploited, this vulnerability allows an attacker with admin access to extract the full database contents from the Pimcore platform. This includes sensitive information such as password hashes of other admin users.'}, {'type': 'paragraph', 'content': "The attacker can execute arbitrary SQL commands via the unsanitized filter parameter, which can lead to unauthorized data disclosure, potential data manipulation, and compromise of the entire system's integrity."}, {'type': 'paragraph', 'content': 'Because exploitation requires admin authentication, the risk is limited to scenarios where an attacker has or gains administrative access, but the impact in such cases is severe.'}] [2]

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by observing unusual delays or error messages in the Pimcore admin panel dependency listing endpoints when using the filter query parameter. Specifically, time-based blind SQL injection can be tested by sending a crafted filter value that causes a delay, such as "x\' OR SLEEP(5)#", which results in a noticeable delay in response time.'}, {'type': 'paragraph', 'content': 'Error-based SQL injection can be detected by sending a filter value that triggers an error revealing database information, for example: "x\' OR extractvalue(1,concat(0x7e,(SELECT version())))#" which returns the MySQL version in the error response.'}, {'type': 'paragraph', 'content': 'These tests require administrative authentication to access the vulnerable endpoints.'}, {'type': 'list_item', 'content': 'Use an HTTP client (e.g., curl) to send a GET request to /admin/element/get-requires-dependencies with a filter parameter containing a payload like: {"value":"x\' OR SLEEP(5)#"} and observe if the response is delayed.'}, {'type': 'list_item', 'content': 'Send a similar request with a payload like: {"value":"x\' OR extractvalue(1,concat(0x7e,(SELECT version())))#"} and check if the error response reveals database version information.'}] [2]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade Pimcore to a patched version where this vulnerability is fixed.

Specifically, upgrade to Pimcore version 12.3.3 or later, which includes a patch that refactors the vulnerable SQL queries to use parameter binding instead of unsafe string concatenation, thereby preventing SQL injection.

If upgrading immediately is not possible, restrict administrative access to trusted users only, as exploitation requires admin authentication.

Monitor and audit admin panel access logs for suspicious activity related to dependency listing endpoints.

Useful 0 Not Useful 0