CVE-2026-55208 in Pimcore Studioinfo

Summary

by MITRE • 07/10/2026

Pimcore Studio Backend Bundle is the backend bundle for Pimcore Studio. Prior to 2025.4.6 and 2026.1.6, an authenticated user can extract the admin password hash and other database content through time-based blind SQL injection in the DateFilter column key parameter. The POST /pimcore-studio/api/website-settings endpoint and other listing endpoints accept a columnFilters array where the key field is interpolated directly into SQL with manual backtick wrapping, allowing a backtick character to break out of quoting and append arbitrary SQL such as SLEEP() and IF() subqueries. This issue is fixed in versions 2025.4.6 and 2026.1.6.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

This vulnerability affects the Pimcore Studio Backend Bundle, a critical component of the Pimcore Studio platform that provides administrative functionality for content management systems. The flaw represents a time-based blind SQL injection vulnerability that allows authenticated attackers to extract sensitive database information including admin password hashes through manipulation of the DateFilter column key parameter. The vulnerability specifically impacts the POST /pimcore-studio/api/website-settings endpoint and related listing endpoints where user-supplied data is processed without proper sanitization. The technical implementation involves direct interpolation of the key field from columnFilters array into SQL queries with manual backtick wrapping, creating a path for malicious input to break out of standard quoting mechanisms.

The operational impact of this vulnerability is severe as it enables authenticated attackers to perform reconnaissance and potentially escalate privileges within the system. Attackers can leverage time-based blind SQL injection techniques by injecting SLEEP() and IF() subqueries that cause database responses to delay, thereby confirming successful injection attempts and extracting information through binary search approaches. The vulnerability exists because the application fails to implement proper input validation and parameterized queries for the column key parameter, allowing attackers to manipulate SQL execution flow through specially crafted payloads that exploit the backtick character escaping mechanism. This weakness directly aligns with CWE-89 which categorizes improper neutralization of special elements used in SQL commands and CWE-400 which addresses excessive resource consumption through input manipulation.

Security implications extend beyond simple data extraction as the ability to retrieve admin password hashes creates opportunities for credential compromise and unauthorized access to administrative functions. The vulnerability affects multiple endpoints within the application's API surface, amplifying its potential impact across different operational areas of the system. Organizations running affected versions of Pimcore Studio are exposed to risks including unauthorized data access, privilege escalation, and potential system compromise through credential theft. The fix implemented in versions 2025.4.6 and 2026.1.6 addresses this by ensuring proper input sanitization and parameterized query construction for all user-supplied parameters in the columnFilters array.

Mitigation strategies should focus on immediate patching of affected systems to version 2025.4.6 or 2026.1.6 where the vulnerability has been resolved. Organizations should also implement additional monitoring for suspicious API requests involving database filtering parameters and consider implementing web application firewalls to detect and block similar injection attempts. Security teams should conduct thorough code reviews focusing on SQL query construction patterns and input handling mechanisms across all application components. The vulnerability demonstrates the importance of following secure coding practices as outlined in MITRE ATT&CK framework category T1213 which covers data from information repositories, particularly emphasizing the need for proper input validation and parameterized queries to prevent injection attacks that could lead to unauthorized access and data compromise.

Responsible

GitHub M

Reservation

06/16/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!