CVE-2026-27461
Received Received - Intake
Regex Injection in Pimcore Admin Panel Enables Full Database Exposure

Publication date: 2026-02-24

Last updated on: 2026-02-25

Assigner: GitHub, Inc.

Description
Pimcore is an Open Source Data & Experience Management Platform. In versions up to and including 11.5.14.1 and 12.3.2, the filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameterized queries. Exploiting this issue requires admin authentication. An attacker with admin panel access can extract the full database including password hashes of other admin users. Version 12.3.3 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-14
NVD
CVE-2026-27461
EUVD
EUVD-2026-7398
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pimcore pimcore to 11.5.14.1 (inc)
pimcore pimcore From 12.0.0 (inc) to 12.3.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27461 is a SQL injection vulnerability in the Pimcore platform affecting versions up to 11.5.14.1 and 12.3.2. The issue occurs because the filter query parameter in dependency listing endpoints is JSON-decoded and its value field is directly concatenated into SQL RLIKE clauses without sanitization or parameterized queries. This improper handling allows an attacker with admin panel access to inject malicious SQL code.

Specifically, the vulnerability arises in the methods getFilterRequiresByPath() and getFilterRequiredByPath() in the Dependency Dao component, where the filter value is used unsafely in SQL queries. Exploiting this requires administrative authentication.

The vulnerability enables attackers to perform SQL injection attacks such as time-based blind SQL injection and error-based data extraction, potentially allowing them to extract the entire database including password hashes of other admin users.

Impact Analysis

[{'type': 'paragraph', 'content': 'If exploited, this vulnerability allows an attacker with admin access to extract the full database contents from the Pimcore platform. This includes sensitive information such as password hashes of other admin users.'}, {'type': 'paragraph', 'content': "The attacker can execute arbitrary SQL commands via the unsanitized filter parameter, which can lead to unauthorized data disclosure, potential data manipulation, and compromise of the entire system's integrity."}, {'type': 'paragraph', 'content': 'Because exploitation requires admin authentication, the risk is limited to scenarios where an attacker has or gains administrative access, but the impact in such cases is severe.'}] [2]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by observing unusual delays or error messages in the Pimcore admin panel dependency listing endpoints when using the filter query parameter. Specifically, time-based blind SQL injection can be tested by sending a crafted filter value that causes a delay, such as "x\' OR SLEEP(5)#", which results in a noticeable delay in response time.'}, {'type': 'paragraph', 'content': 'Error-based SQL injection can be detected by sending a filter value that triggers an error revealing database information, for example: "x\' OR extractvalue(1,concat(0x7e,(SELECT version())))#" which returns the MySQL version in the error response.'}, {'type': 'paragraph', 'content': 'These tests require administrative authentication to access the vulnerable endpoints.'}, {'type': 'list_item', 'content': 'Use an HTTP client (e.g., curl) to send a GET request to /admin/element/get-requires-dependencies with a filter parameter containing a payload like: {"value":"x\' OR SLEEP(5)#"} and observe if the response is delayed.'}, {'type': 'list_item', 'content': 'Send a similar request with a payload like: {"value":"x\' OR extractvalue(1,concat(0x7e,(SELECT version())))#"} and check if the error response reveals database version information.'}] [2]

Mitigation Strategies

The immediate mitigation step is to upgrade Pimcore to a patched version where this vulnerability is fixed.

Specifically, upgrade to Pimcore version 12.3.3 or later, which includes a patch that refactors the vulnerable SQL queries to use parameter binding instead of unsafe string concatenation, thereby preventing SQL injection.

If upgrading immediately is not possible, restrict administrative access to trusted users only, as exploitation requires admin authentication.

Monitor and audit admin panel access logs for suspicious activity related to dependency listing endpoints.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27461. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart