Unauthenticated Admin Account Takeover in Pimcore by Valid Username Manipulation
CVE-2026-55207
8.8HIGH
What is CVE-2026-55207?
An issue in the Pimcore platform allows an unauthenticated attacker with knowledge of a valid admin username to execute an account takeover. By manipulating the password reset process through an attacker-controlled reset URL, the server generates a cryptographic recovery token that is sent to the victim in an email. Once the victim clicks this link, the recovery token is sent back to the attacker, allowing them to authenticate as the admin without needing the two-factor authentication. This vulnerability has been addressed in the later versions of Pimcore.
Affected Version(s)
pimcore >= 2026.1.0, < 2026.1.6 < 2026.1.0, 2026.1.6
pimcore < 2025.4.6 < 2025.4.6