Login Sign Up

CVE-2026-27461

4.9 MEDIUM
SQL Injection

📋 TL;DR

This SQL injection vulnerability in Pimcore allows authenticated admin users to extract the entire database, including password hashes of other admin accounts. It affects Pimcore versions up to 11.5.14.1 and 12.3.2. Organizations using these vulnerable versions with admin panel access are at risk.

💻 Affected Systems

Products:
  • Pimcore
Versions: Up to and including 11.5.14.1 and 12.3.2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires admin authentication to exploit. All deployments with admin panel access are vulnerable.

📦 What is this software?

Pimcore by Pimcore

View all CVEs affecting Pimcore →

Pimcore by Pimcore

View all CVEs affecting Pimcore →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including sensitive user data, password hashes, and potential lateral movement to other systems.

🟠

Likely Case

Extraction of admin password hashes leading to account takeover and privilege escalation within the Pimcore instance.

🟢

If Mitigated

Limited impact due to strong access controls, monitoring, and network segmentation preventing database access.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires admin credentials but is straightforward once authenticated. The vulnerability is in filter query parameter handling in dependency listing endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.3.3

Vendor Advisory: https://github.com/pimcore/pimcore/security/advisories/GHSA-vxg3-v4p6-f3fp

Restart Required: No

Instructions:

1. Upgrade to Pimcore 12.3.3 or later. 2. For version 11.x, upgrade to a version beyond 11.5.14.1. 3. Apply the patch from commit 1c3925fbec4895abeb21e5c244a83679c4e4a6f4 if manual patching is needed.

🔧 Temporary Workarounds

Restrict Admin Access

all

Limit admin panel access to only trusted users and implement strong authentication controls.

Network Segmentation

all

Isolate Pimcore instances from critical databases and other sensitive systems.

🧯 If You Can't Patch

  • Implement strict access controls and monitor admin user activities closely.
  • Deploy web application firewall (WAF) rules to block SQL injection patterns in filter parameters.

🔍 How to Verify

Check if Vulnerable:

Check Pimcore version via admin panel or configuration files. If version is ≤11.5.14.1 or ≤12.3.2, the system is vulnerable.

Check Version:

Check Pimcore version in admin panel or review pimcore/config/version.php file.

Verify Fix Applied:

Verify version is ≥12.3.3 or >11.5.14.1. Check that filter query parameters are properly sanitized in dependency listing endpoints.

📡 Detection & Monitoring

Log Indicators:

  • Unusual database queries from admin users
  • Multiple failed login attempts followed by successful admin login
  • Suspicious filter parameter values in dependency listing requests

Network Indicators:

  • Abnormal database traffic patterns from Pimcore application servers
  • SQL error messages in HTTP responses

SIEM Query:

source="pimcore" AND (event="sql_error" OR param="filter" AND value CONTAINS "RLIKE")

📊 Metadata

CVE ID: CVE-2026-27461
CVSS v3 Score: 4.9 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-89
Published: February 24, 2026
Last Updated: February 25, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27461, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)