CVE-2026-5394
Deferred Deferred - Pending Action
SQL Injection via Composite Index in Pimcore

Publication date: 2026-04-27

Last updated on: 2026-05-05

Assigner: Fluid Attacks

Description
An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend. This issue affects pimcore: 12.3.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-27
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-04-28
EPSS Evaluated
2026-06-14
NVD
CVE-2026-5394
EUVD
EUVD-2026-25909
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pimcore pimcore 12.3.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an authenticated administrative user to perform unauthorized schema modifications, such as dropping columns, which can lead to data integrity issues and potential denial of service in the backend database.

Such unauthorized changes and potential data corruption could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require maintaining data integrity, availability, and protection against unauthorized access or modification.

However, the provided information does not explicitly discuss compliance impacts or specific regulatory consequences.

Executive Summary

CVE-2026-5394 is a blind SQL injection vulnerability in Pimcore Platform version 12.3.3 that affects the import or saving of DataObject class definitions by authenticated administrative users.

The vulnerability arises because attacker-controlled composite index metadata can be injected via JSON input and concatenated directly into SQL ALTER TABLE statements without proper validation or escaping.

Specifically, the method handling the import accepts compositeIndices from JSON and passes them to a function that constructs raw SQL statements using string concatenation, executing them without quoting identifiers.

This allows an attacker to craft malicious index columns that inject additional SQL commands, such as dropping columns, by abusing the syntax of the ALTER TABLE statement.

Impact Analysis

This vulnerability can lead to unauthorized schema modifications in Pimcore's database tables, such as dropping columns or corrupting table layouts.

Such unauthorized changes can cause backend denial of service by breaking the integrity of DataObject storage and queries.

The impact includes potential data integrity issues and disruption of normal application functionality.

Exploitation requires an authenticated administrative user with permission to import or save class definitions.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or suspicious import or save operations of DataObject class definitions that include composite index metadata. Since exploitation involves importing malicious JSON with crafted compositeIndices, inspecting recent import activities or class definition changes for unusual composite index entries may help detect attempts.

Specifically, you can look for JSON payloads containing suspicious index_columns values that include SQL syntax such as closing parentheses, DROP statements, or comments.

Because the vulnerability is a blind SQL injection triggered by administrative actions, network detection might be limited to identifying authenticated administrative sessions performing class definition imports or saves.

Suggested commands to detect suspicious activity include:

  • Review Pimcore logs for import or save operations of DataObject class definitions.
  • Search for JSON files or API requests containing compositeIndices with suspicious index_columns values, e.g., using grep or similar tools:
  • grep -r 'DROP COLUMN' /path/to/pimcore/imports/
  • Monitor database schema changes or audit logs for unexpected ALTER TABLE commands affecting object query tables.
  • If possible, enable query logging on the database to detect ALTER TABLE statements with unusual syntax.
Mitigation Strategies

Immediate mitigation steps include restricting access to authenticated administrative users who can import or save DataObject class definitions, as exploitation requires such privileges.

Avoid importing or saving any untrusted or unaudited class definition JSON files that contain compositeIndices until a patch or fix is available.

Implement monitoring and alerting on import/save operations and database schema changes to detect potential exploitation attempts early.

Consider temporarily disabling the ability to import or save DataObject class definitions if this is feasible in your environment.

Stay updated with Pimcore security advisories and apply any patches or updates once they become available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5394. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart