Description
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14.
Published: 2026-01-15
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Log data exposure leading to potential confidentiality compromise via sensitive environment and session information
Action: Patch
AI Analysis

Impact

The vulnerability in Pimcore allows the http_error_log file to store the contents of the $_COOKIE and $_SERVER superglobals. These variables can contain sensitive credentials such as database passwords, session tokens, and other confidential data. Exposing them in the error log means that anyone who can read the log file can recover these secrets, effectively compromising both confidentiality and integrity of the application’s environment and user data.

Affected Systems

Pimcore data and experience management platform versions prior to 12.3.1 and 11.5.14 are affected. The issue was addressed in the releases 12.3.1 and 11.5.14 and later. All installations using earlier Pimcore releases should be upgraded to at least the corrected versions.

Risk and Exploitability

The CVSS score of 8.6 classifies this as a high severity vulnerability, while the EPSS score of less than 1% suggests a very low probability of exploitation. The vulnerability is not currently listed in the CISA KEV catalog. Based on the description, it is inferred that exploiting the flaw requires an ability to read the http_error_log file, which typically involves elevated privileges on the host or access to the Pimcore backend. An attacker with such access could retrieve environmental and session information, potentially leading to full system compromise.

Generated by OpenCVE AI on April 18, 2026 at 19:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading to Pimcore 12.3.1 or 11.5.14
  • After updating, verify that the server’s logging configuration no longer records environment or superglobal data, and delete any existing logs containing sensitive information
  • If an upgrade cannot be performed immediately, restrict file permissions on the http_error_log to deny read access to non‑administrator users and consider temporarily disabling detailed error logging until a patch is available

Generated by OpenCVE AI on April 18, 2026 at 19:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q433-j342-rp9h Pimcore ENV Variables and Cookie Informations are exposed in http_error_log
History

Tue, 20 Jan 2026 22:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*:*

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Pimcore
Pimcore pimcore
Vendors & Products Pimcore
Pimcore pimcore

Thu, 15 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
Description Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14.
Title Pimcore ENV Variables and Cookie Informations are exposed in http_error_log
Weaknesses CWE-532
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L'}

Subscriptions

Pimcore Pimcore
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-15T19:02:08.517Z

Reserved: 2026-01-13T15:47:41.629Z

Link: CVE-2026-23493

cve-icon Vulnrichment

Updated: 2026-01-15T19:01:55.906Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-15T17:16:08.293

Modified: 2026-01-20T21:48:53.243

Link: CVE-2026-23493

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:15:10Z

Weaknesses