Data Exposure Vulnerability in Pimcore Open Source Platform
CVE-2026-23493

8.6HIGH

Key Information:

Vendor

Pimcore
Status
Pimcore
Vendor
CVE Published:
15 January 2026

What is CVE-2026-23493?

The Pimcore Data & Experience Management Platform has a vulnerability that allows sensitive information, including database passwords and cookie session data, to be stored in the http_error_log file. This file can be accessed through the Pimcore backend, posing a significant risk for data exposure. The issue affects versions earlier than 12.3.1 and 11.5.14. Updated versions are available, which effectively mitigate this vulnerability.

Affected Version(s)

pimcore >= 12.0.0-RC1, < 12.3.1 < 12.0.0-RC1, 12.3.1

pimcore < 11.5.14 < 11.5.14

References

https://github.com/pimcore/pimcore/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/pimcore/pimcore/pull/18918
x_refsource_MISC
https://github.com/pimcore/pimcore/commit/002ec7d5f849738...
x_refsource_MISC

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.