CVE-2026-55207
Deferred Deferred - Pending Action

Unauthenticated Admin Account Takeover in Pimcore

Vulnerability report for CVE-2026-55207, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Pimcore is an Open Source Data & Experience Management Platform. Prior to 2025.4.6 and 2026.1.6, an unauthenticated attacker who knows a valid admin username can take over any Pimcore admin account by sending a password reset request with an attacker-controlled resetPasswordUrl. The server generates a real cryptographic recovery token, appends it to the supplied URL, and emails the link to the victim; when the victim clicks the link, the token is sent to the attacker and can be used with POST /pimcore-studio/api/login/token to authenticate with full admin privileges while bypassing two-factor authentication. This issue is fixed in versions 2025.4.6 and 2026.1.6.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
pimcore pimcore to 2025.4.6 (inc)
pimcore pimcore to 2026.1.6 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

CVE-2026-55207 allows an unauthenticated attacker to take over any Pimcore admin account by exploiting the password reset functionality, bypassing two-factor authentication and gaining full admin privileges.

This compromise of admin accounts can lead to unauthorized access to sensitive data, including CMS content, digital assets, PIM data, user accounts, and system configuration.

Such unauthorized access and potential data breaches can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Specifically, the vulnerability undermines confidentiality, integrity, and availability of data, which are core principles in these standards.

Organizations using vulnerable versions of Pimcore may face increased risk of non-compliance, potential data breaches, and associated legal and financial penalties.

Executive Summary

This vulnerability affects Pimcore, an open source data and experience management platform. Before versions 2025.4.6 and 2026.1.6, an unauthenticated attacker who knows a valid admin username can take over any Pimcore admin account. The attacker does this by sending a password reset request with a resetPasswordUrl controlled by the attacker. The server generates a real cryptographic recovery token and appends it to the supplied URL, then emails the link to the victim. When the victim clicks the link, the token is sent to the attacker, who can then use it to authenticate with full admin privileges, bypassing two-factor authentication.

Impact Analysis

This vulnerability allows an attacker to fully take over any Pimcore admin account without needing to authenticate or bypass two-factor authentication. This means the attacker can gain complete administrative control over the affected Pimcore instance, potentially leading to unauthorized access, data theft, data manipulation, or disruption of services.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Pimcore to version 2025.4.6 or 2026.1.6 or later, as these versions contain the fix for this issue.

Detection Guidance

This vulnerability involves an attacker sending a password reset request with a malicious resetPasswordUrl parameter to hijack admin accounts. Detection can focus on monitoring for unusual or suspicious password reset requests that include unexpected or external URLs in the resetPasswordUrl parameter.

To detect exploitation attempts on your system or network, you can monitor web server logs or application logs for password reset requests containing resetPasswordUrl parameters pointing to external or attacker-controlled domains.

Example commands to search for suspicious password reset requests in logs might include:

  • Using grep to find resetPasswordUrl parameters in web server logs (e.g., Apache or Nginx):
  • grep -i 'resetPasswordUrl=' /var/log/nginx/access.log
  • grep -i 'resetPasswordUrl=' /var/log/apache2/access.log
  • Using grep with a pattern to find resetPasswordUrl parameters containing external domains (example for suspicious URLs):
  • grep -i 'resetPasswordUrl=http' /var/log/nginx/access.log | grep -v 'yourdomain.com'
  • grep -i 'resetPasswordUrl=http' /var/log/apache2/access.log | grep -v 'yourdomain.com'

Replace 'yourdomain.com' with your actual Pimcore domain to filter out legitimate URLs. This helps identify requests where the resetPasswordUrl points to an external or untrusted domain, which could indicate exploitation attempts.

Additionally, monitoring email logs for password reset emails containing unusual reset links or URLs not matching your domain can help detect potential attacks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55207. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart