๐Ÿ” CVE Alert

CVE-2026-55207

HIGH 8.8

Pimcore: Account Takeover via Password Reset URL Injection allows unauthenticated attacker to hijack any admin account with 2FA bypass

CVSS Score
8.8
EPSS Score
0.4%
EPSS Percentile
27th

Pimcore is an Open Source Data & Experience Management Platform. Prior to 2025.4.6 and 2026.1.6, an unauthenticated attacker who knows a valid admin username can take over any Pimcore admin account by sending a password reset request with an attacker-controlled resetPasswordUrl. The server generates a real cryptographic recovery token, appends it to the supplied URL, and emails the link to the victim; when the victim clicks the link, the token is sent to the attacker and can be used with POST /pimcore-studio/api/login/token to authenticate with full admin privileges while bypassing two-factor authentication. This issue is fixed in versions 2025.4.6 and 2026.1.6.

CWE CWE-640
Vendor pimcore
Product pimcore
Published Jul 9, 2026
Last Updated Jul 10, 2026
Stay Ahead of the Next One

Get instant alerts for pimcore pimcore

Be the first to know when new high vulnerabilities affecting pimcore pimcore are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

pimcore / pimcore
>= 2026.1.0, < 2026.1.6 < 2025.4.6

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/pimcore/pimcore/security/advisories/GHSA-h854-c3m3-mh5v github.com: https://github.com/pimcore/studio-backend-bundle/pull/1882 github.com: https://github.com/pimcore/studio-backend-bundle/commit/ea9d329686f5e5aea2eec378d63ac2deb965bb27 github.com: https://github.com/pimcore/studio-backend-bundle/releases/tag/v2025.4.6 github.com: https://github.com/pimcore/studio-backend-bundle/releases/tag/v2026.1.6