Pimcore Studio API Class Create Bypass (2025.4.6/2026.1.6)
CVE-2026-55212 Published on July 9, 2026
Pimcore: Insufficient Permission Check on Class Definition Creation Endpoint Allows Privilege Escalation
Pimcore is an Open Source Data & Experience Management Platform. Prior to 2025.4.6 and 2026.1.6, the Studio API class definition creation endpoint POST /pimcore-studio/api/class/definition/configuration-view/detail/create is guarded by the objects permission instead of the classes permission, allowing a standard editor-level user to create class definitions without admin privileges. Class definition creation generates new database tables and PHP class files on the server, and missing API-layer UID format validation allows malformed UIDs to reach model-layer validation and return internal exceptions. This issue is fixed in versions 2025.4.6 and 2026.1.6.
Vulnerability Analysis
CVE-2026-55212 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2026-55212. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a high impact on integrity, and no impact on availability.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-55212 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2026-55212
Want to know whenever a new CVE is published for Pimcore? stack.watch will email you.
Affected Versions
pimcore:- Version >= 2026.1.0, < 2026.1.6 is affected.
- Version < 2025.4.6 is affected.