CVE-2026-23492 – This CVE describes a blind SQL injection vulner... (How to Fix)

Q: What is the severity of CVE-2026-23492?

CVE-2026-23492 has a CVSS score of 8.8 (HIGH). This CVE describes a blind SQL injection vulnerability in Pimcore's Admin Search Find API that affects authenticated users. Attackers can infer database information through blind injection techniques despite previous mitigation attempts. This vulnerability impacts Pimcore installations with admin interface access and can lead to database information disclosure.

📋 TL;DR

This CVE describes a blind SQL injection vulnerability in Pimcore's Admin Search Find API that affects authenticated users. Attackers can infer database information through blind injection techniques despite previous mitigation attempts. This vulnerability impacts Pimcore installations with admin interface access and can lead to database information disclosure.

💻 Affected Systems

Products:

Pimcore

Versions: All versions prior to 12.3.1 and 11.5.14

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to admin interface

📦 What is this software?

Pimcore by Pimcore

View all CVEs affecting Pimcore →

Pimcore by Pimcore

View all CVEs affecting Pimcore →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including sensitive user data, configuration secrets, and potential lateral movement to other systems

🟠

Likely Case

Database information disclosure including user credentials, configuration data, and business information

🟢

If Mitigated

Limited impact with proper input validation and database permission restrictions

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated admin access and knowledge of blind SQL injection techniques

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.3.1 or 11.5.14

Vendor Advisory: https://github.com/pimcore/pimcore/security/advisories/GHSA-qvr7-7g55-69xj

Restart Required: Yes

Instructions:

1. Backup your Pimcore installation and database. 2. Update to version 12.3.1 (for v12) or 11.5.14 (for v11). 3. Restart the application server. 4. Verify the fix by testing the Admin Search Find API.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement additional input validation for Admin Search API parameters

Modify application code to validate and sanitize all user inputs in search functionality

Database Permission Restriction

all

Restrict database user permissions to minimum required

ALTER USER 'pimcore_user'@'localhost' WITH GRANT OPTION;
REVOKE ALL PRIVILEGES ON *.* FROM 'pimcore_user'@'localhost';
GRANT SELECT, INSERT, UPDATE, DELETE ON pimcore_db.* TO 'pimcore_user'@'localhost';

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block SQL injection patterns
Restrict admin interface access to trusted IP addresses only

🔍 How to Verify

Check if Vulnerable:

Check Pimcore version via admin interface or by examining version files

Check Version:

php bin/console pimcore:version

Verify Fix Applied:

Test Admin Search Find API with SQL injection payloads that don't use comments

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by search API requests
Long or unusual parameter values in search requests

Network Indicators:

Repeated POST requests to /admin/search/find with varying parameters
Unusual timing patterns in API responses

SIEM Query:

source="web_logs" AND uri="/admin/search/find" AND (param="*SELECT*" OR param="*UNION*" OR param="*OR*" OR param="*AND*")

📊 Metadata

CVE ID: CVE-2026-23492

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

EPSS Score: 0.01% exploit probability (1.4th percentile)

Published: January 14, 2026

Last Updated: January 20, 2026

🔗 References

https://github.com/pimcore/pimcore/commit/25ad8674886f2b938243cbe13e33e204a2e35cc3 Patch
https://github.com/pimcore/pimcore/security/advisories/GHSA-qvr7-7g55-69xj Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23492, you might also want to check these: