CVE-2026-55208
Deferred Deferred - Pending Action

SQL Injection in Pimcore Studio Backend Bundle

Vulnerability report for CVE-2026-55208, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Pimcore Studio Backend Bundle is the backend bundle for Pimcore Studio. Prior to 2025.4.6 and 2026.1.6, an authenticated user can extract the admin password hash and other database content through time-based blind SQL injection in the DateFilter column key parameter. The POST /pimcore-studio/api/website-settings endpoint and other listing endpoints accept a columnFilters array where the key field is interpolated directly into SQL with manual backtick wrapping, allowing a backtick character to break out of quoting and append arbitrary SQL such as SLEEP() and IF() subqueries. This issue is fixed in versions 2025.4.6 and 2026.1.6.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
pimcore pimcore_studio to 2026.1.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by testing the vulnerable endpoints for time-based blind SQL injection in the DateFilter column key parameter. Specifically, the POST /pimcore-studio/api/website-settings endpoint and other listing endpoints that accept a columnFilters array with a key field are susceptible.

To detect exploitation attempts or the vulnerability, you can send crafted POST requests to these endpoints with a columnFilters key containing a backtick character and SQL payloads such as SLEEP() to observe time delays indicating SQL injection.

Example command using curl to test for the vulnerability by injecting a time delay:

  • curl -X POST https://your-pimcore-instance/pimcore-studio/api/website-settings -H 'Content-Type: application/json' -d '{"columnFilters":[{"key":"DateFilter` SLEEP(5)-- ","value":"2026-01-01"}]}'

If the response is delayed by approximately 5 seconds, it indicates the presence of the time-based blind SQL injection vulnerability.

Note that authenticated access is required to test this vulnerability, so ensure you have valid credentials.

Impact Analysis

The vulnerability allows an authenticated user to extract sensitive data from the database, including the admin password hash. This can lead to unauthorized access to administrative accounts if the password hashes are cracked.

Although the vulnerability does not directly affect data integrity or availability, it compromises confidentiality, potentially exposing sensitive information stored in the database.

Mitigation Strategies

To mitigate this vulnerability, upgrade Pimcore Studio Backend Bundle to version 2025.4.6 or later, or 2026.1.6 or later, where the issue is fixed.

Executive Summary

This vulnerability exists in the Pimcore Studio Backend Bundle before versions 2025.4.6 and 2026.1.6. An authenticated user can exploit a time-based blind SQL injection in the DateFilter column key parameter. Specifically, the POST /pimcore-studio/api/website-settings endpoint and other listing endpoints accept a columnFilters array where the key field is directly interpolated into SQL with manual backtick wrapping. Because the key field can include a backtick character, it can break out of the quoting and allow the attacker to append arbitrary SQL commands such as SLEEP() and IF() subqueries.

This flaw allows an attacker to extract sensitive information like the admin password hash and other database content by leveraging the SQL injection vulnerability.

Compliance Impact

The vulnerability allows an authenticated user to extract the admin password hash and other database content through a time-based blind SQL injection. This exposure of sensitive authentication data could potentially lead to unauthorized access to administrative functions and sensitive information.

Such unauthorized access and data exposure may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive personal and administrative data. However, the provided information does not explicitly detail the compliance implications or specific regulatory impacts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55208. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart