Unauthorized Class Definition Creation in Pimcore Open Source Data Platform
CVE-2026-55212
7.1HIGH
What is CVE-2026-55212?
The Studio API of the Pimcore platform has a security flaw that allows standard editor-level users to create class definitions without requiring admin privileges. This is because the class definition creation endpoint is inadequately protected, relying on object permissions rather than class permissions. This oversight not only enables unauthorized creation of database tables and PHP class files but also allows malformed UID formats to bypass initial validation checks, resulting in internal exceptions. The issue has been addressed in versions 2025.4.6 and 2026.1.6.
Affected Version(s)
pimcore >= 2026.1.0, < 2026.1.6 < 2026.1.0, 2026.1.6
pimcore < 2025.4.6 < 2025.4.6