CVE-2026-5394
SQL Injection via Composite Index in Pimcore
Publication date: 2026-04-27
Last updated on: 2026-05-05
Assigner: Fluid Attacks
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pimcore | pimcore | 12.3.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5394 is a blind SQL injection vulnerability in Pimcore Platform version 12.3.3 that affects the import or saving of DataObject class definitions by authenticated administrative users.
The vulnerability arises because attacker-controlled composite index metadata can be injected via JSON input and concatenated directly into SQL ALTER TABLE statements without proper validation or escaping.
Specifically, the method handling the import accepts compositeIndices from JSON and passes them to a function that constructs raw SQL statements using string concatenation, executing them without quoting identifiers.
This allows an attacker to craft malicious index columns that inject additional SQL commands, such as dropping columns, by abusing the syntax of the ALTER TABLE statement.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated administrative user to perform unauthorized schema modifications, such as dropping columns, which can lead to data integrity issues and potential denial of service in the backend database.
Such unauthorized changes and potential data corruption could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require maintaining data integrity, availability, and protection against unauthorized access or modification.
However, the provided information does not explicitly discuss compliance impacts or specific regulatory consequences.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized schema modifications in Pimcore's database tables, such as dropping columns or corrupting table layouts.
Such unauthorized changes can cause backend denial of service by breaking the integrity of DataObject storage and queries.
The impact includes potential data integrity issues and disruption of normal application functionality.
Exploitation requires an authenticated administrative user with permission to import or save class definitions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized or suspicious import or save operations of DataObject class definitions that include composite index metadata. Since exploitation involves importing malicious JSON with crafted compositeIndices, inspecting recent import activities or class definition changes for unusual composite index entries may help detect attempts.
Specifically, you can look for JSON payloads containing suspicious index_columns values that include SQL syntax such as closing parentheses, DROP statements, or comments.
Because the vulnerability is a blind SQL injection triggered by administrative actions, network detection might be limited to identifying authenticated administrative sessions performing class definition imports or saves.
Suggested commands to detect suspicious activity include:
- Review Pimcore logs for import or save operations of DataObject class definitions.
- Search for JSON files or API requests containing compositeIndices with suspicious index_columns values, e.g., using grep or similar tools:
- grep -r 'DROP COLUMN' /path/to/pimcore/imports/
- Monitor database schema changes or audit logs for unexpected ALTER TABLE commands affecting object query tables.
- If possible, enable query logging on the database to detect ALTER TABLE statements with unusual syntax.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to authenticated administrative users who can import or save DataObject class definitions, as exploitation requires such privileges.
Avoid importing or saving any untrusted or unaudited class definition JSON files that contain compositeIndices until a patch or fix is available.
Implement monitoring and alerting on import/save operations and database schema changes to detect potential exploitation attempts early.
Consider temporarily disabling the ability to import or save DataObject class definitions if this is feasible in your environment.
Stay updated with Pimcore security advisories and apply any patches or updates once they become available.