CVE-2026-55212
Deferred Deferred - Pending Action

Privilege Escalation in Pimcore via Class Definition Creation

Vulnerability report for CVE-2026-55212, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Pimcore is an Open Source Data & Experience Management Platform. Prior to 2025.4.6 and 2026.1.6, the Studio API class definition creation endpoint POST /pimcore-studio/api/class/definition/configuration-view/detail/create is guarded by the objects permission instead of the classes permission, allowing a standard editor-level user to create class definitions without admin privileges. Class definition creation generates new database tables and PHP class files on the server, and missing API-layer UID format validation allows malformed UIDs to reach model-layer validation and return internal exceptions. This issue is fixed in versions 2025.4.6 and 2026.1.6.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
pimcore pimcore to 2026.1.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Pimcore, an open source data and experience management platform. Before versions 2025.4.6 and 2026.1.6, the Studio API endpoint responsible for creating class definitions (POST /pimcore-studio/api/class/definition/configuration-view/detail/create) incorrectly checks permissions. Instead of requiring the higher-level 'classes' permission, it only requires the 'objects' permission. This allows a standard editor-level user, who normally would not have admin privileges, to create new class definitions.

Creating class definitions involves generating new database tables and PHP class files on the server. Additionally, the API lacks proper validation of UID formats at the API layer, allowing malformed UIDs to pass through and cause internal exceptions at the model layer.

This issue was fixed in Pimcore versions 2025.4.6 and 2026.1.6.

Impact Analysis

This vulnerability can impact you by allowing users with only editor-level permissions to create new class definitions, which normally require admin privileges. This can lead to unauthorized creation of database tables and PHP class files on the server.

Because malformed UIDs can bypass API-layer validation and cause internal exceptions, this may lead to application instability or unexpected behavior.

The CVSS score of 7.1 (High) indicates that the vulnerability is exploitable remotely with low complexity and no user interaction, potentially leading to partial confidentiality loss and high integrity impact.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Pimcore to version 2025.4.6 or 2026.1.6 or later, where the issue has been fixed.

This vulnerability allows standard editor-level users to create class definitions without admin privileges, so restricting user permissions and monitoring for unauthorized class definition creation attempts may also help reduce risk until the upgrade is applied.

Compliance Impact

This vulnerability allows standard editor-level users to create class definitions without admin privileges, which can lead to unauthorized modification of application schema and introduction of malformed class structures. Such unauthorized access and modification could potentially lead to data integrity issues and exposure of internal exceptions, which may impact compliance with data protection regulations like GDPR and HIPAA that require strict access controls and data integrity safeguards.

By bypassing proper permission checks, the vulnerability undermines the principle of least privilege, increasing the risk of unauthorized data access or alteration. This could result in non-compliance with regulatory requirements that mandate controlled access to sensitive data and system configurations.

Detection Guidance

This vulnerability involves unauthorized creation of class definitions via the Studio API endpoint POST /pimcore-studio/api/class/definition/configuration-view/detail/create by users with objects permission instead of classes permission.

To detect exploitation attempts on your system or network, you can monitor HTTP POST requests to the vulnerable API endpoint and check for requests made by users without admin privileges.

Suggested commands include using network monitoring or web server logs to filter for POST requests to the endpoint:

  • Using grep on web server logs (e.g., Apache or Nginx):
  • grep 'POST /pimcore-studio/api/class/definition/configuration-view/detail/create' /var/log/nginx/access.log
  • Or using tcpdump to capture HTTP traffic and filter for the endpoint:
  • tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /pimcore-studio/api/class/definition/configuration-view/detail/create'

Additionally, review user permissions associated with these requests to identify if non-admin users are attempting to create class definitions, which indicates potential exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55212. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart