CVE-2026-23493
Published: 15 January 2026
Summary
CVE-2026-23493 is a high-severity Insertion of Sensitive Information into Log File (CWE-532) vulnerability in Pimcore Pimcore. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 0.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AU-3 (Content of Audit Records) and AU-9 (Protection of Audit Information).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Defines audit record content to exclude sensitive information such as database passwords and session data from $_COOKIE and $_SERVER variables in http_error_log files.
Protects audit information in log files from unauthorized access through the Pimcore backend by unauthenticated attackers.
Ensures error handling in http_error_log does not disclose sensitive information like credentials and session data.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct exposure of credentials (DB passwords) and session cookies in accessible log files enables T1552.001 (Credentials In Files) and T1539 (Steal Web Session Cookie).
NVD Description
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be…
more
accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14.
Deeper analysisAI
CVE-2026-23493 affects Pimcore, an open-source data and experience management platform, in versions prior to 12.3.1 and 11.5.14. The vulnerability arises because the http_error_log file logs sensitive data from the $_COOKIE and $_SERVER superglobals, including database passwords, session cookies, and other potentially confidential details. This information exposure through log files (CWE-532) has a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L), indicating high severity due to significant confidentiality impact.
Unauthenticated attackers with network access can exploit this vulnerability by accessing the http_error_log file through the Pimcore backend, without requiring privileges or user interaction. Successful exploitation allows recovery of sensitive credentials and session data, potentially enabling further compromise such as unauthorized database access, session hijacking, or lateral movement within the environment, alongside limited integrity and availability disruption.
Mitigation is available through patches released for the affected branches: upgrade to Pimcore 12.3.1 or 11.5.14. The fixes are detailed in GitHub commit 002ec7d5f84973819236796e5b314703b58e8601, pull request #18918, and the corresponding release tags, with additional guidance in the GHSA-q433-j342-rp9h security advisory.
Details
- CWE(s)