Unauthenticated Admin Account Takeover in Pimcore by Valid Username Manipulation
CVE-2026-55207

8.8HIGH

Key Information:

Vendor

Pimcore

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-55207?

An issue in the Pimcore platform allows an unauthenticated attacker with knowledge of a valid admin username to execute an account takeover. By manipulating the password reset process through an attacker-controlled reset URL, the server generates a cryptographic recovery token that is sent to the victim in an email. Once the victim clicks this link, the recovery token is sent back to the attacker, allowing them to authenticate as the admin without needing the two-factor authentication. This vulnerability has been addressed in the later versions of Pimcore.

Affected Version(s)

pimcore >= 2026.1.0, < 2026.1.6 < 2026.1.0, 2026.1.6

pimcore < 2025.4.6 < 2025.4.6

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.