CVE-2026-55212 in Pimcoreinfo

Summary

by MITRE • 07/10/2026

Pimcore is an Open Source Data & Experience Management Platform. Prior to 2025.4.6 and 2026.1.6, the Studio API class definition creation endpoint POST /pimcore-studio/api/class/definition/configuration-view/detail/create is guarded by the objects permission instead of the classes permission, allowing a standard editor-level user to create class definitions without admin privileges. Class definition creation generates new database tables and PHP class files on the server, and missing API-layer UID format validation allows malformed UIDs to reach model-layer validation and return internal exceptions. This issue is fixed in versions 2025.4.6 and 2026.1.6.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability identified in Pimcore's Studio API affects the class definition creation endpoint which is designed to manage database schema and PHP class file generation within the platform. Prior to versions 2025.4.6 and 2026.1.6, the system implemented incorrect authorization controls where the objects permission was used instead of the appropriate classes permission for validating access to create new class definitions. This misconfiguration created a privilege escalation vector allowing standard editor-level users to bypass normal administrative restrictions and perform actions typically restricted to administrators or privileged users.

The technical flaw manifests in two primary areas that compound the security risk. First, the authorization mechanism fails to properly validate user permissions at the API layer, specifically using objects permission rather than classes permission for the POST /pimcore-studio/api/class/definition/configuration-view/detail/create endpoint. This represents a violation of the principle of least privilege and demonstrates a lack of proper access control enforcement. Second, the API layer lacks adequate input validation for UID format parameters, allowing malformed identifiers to propagate through the system to the model layer where they trigger internal exceptions rather than being properly rejected at the boundary.

The operational impact of this vulnerability is significant as class definition creation in Pimcore involves generating new database tables and PHP class files on the server infrastructure. When unauthorized users can create class definitions, they potentially gain the ability to modify the platform's data model structure and codebase without proper oversight or approval. This could lead to data integrity issues, unauthorized schema modifications, and potential injection of malicious code into the application environment. The missing UID format validation exacerbates this threat by allowing malformed identifiers to cause internal system exceptions that may reveal sensitive information about the platform's internal workings.

This vulnerability aligns with CWE-284 (Improper Access Control) and CWE-20 (Improper Input Validation) categories, representing a clear violation of security best practices for permission management and input sanitization. From an ATT&CK perspective, this issue maps to T1078 (Valid Accounts) and T1546 (Event Triggered Execution) as it allows privilege escalation through legitimate user accounts and potentially enables code execution through class file creation. The vulnerability also demonstrates poor defense-in-depth principles where multiple layers of security controls failed to prevent unauthorized actions.

The fix implemented in versions 2025.4.6 and 2026.1.6 addresses both the authorization and input validation issues by correcting the permission checks to use classes permission instead of objects permission, and by implementing proper UID format validation at the API layer before identifiers reach the model layer. This remediation restores proper access controls and prevents malformed inputs from reaching sensitive system components that could otherwise cause internal exceptions or security breaches. Organizations using affected versions should immediately upgrade to the patched releases to eliminate this privilege escalation vector and protect against potential unauthorized modifications to their Pimcore platform infrastructure.

Responsible

GitHub M

Reservation

06/16/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!