Unauthorized Class Definition Creation in Pimcore Open Source Data Platform
CVE-2026-55212

7.1HIGH

Key Information:

Vendor

Pimcore

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-55212?

The Studio API of the Pimcore platform has a security flaw that allows standard editor-level users to create class definitions without requiring admin privileges. This is because the class definition creation endpoint is inadequately protected, relying on object permissions rather than class permissions. This oversight not only enables unauthorized creation of database tables and PHP class files but also allows malformed UID formats to bypass initial validation checks, resulting in internal exceptions. The issue has been addressed in versions 2025.4.6 and 2026.1.6.

Affected Version(s)

pimcore >= 2026.1.0, < 2026.1.6 < 2026.1.0, 2026.1.6

pimcore < 2025.4.6 < 2025.4.6

References

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.