Cyber Resilience

CVE-2026-23493

High

Published: 15 January 2026

Published
15 January 2026
Modified
20 January 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
EPSS Score 0.0039 31.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-23493 is a high-severity Insertion of Sensitive Information into Log File (CWE-532) vulnerability in Pimcore Pimcore. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 31.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-3 (Content of Audit Records) and AU-9 (Protection of Audit Information).

Deeper analysis

CVE-2026-23493 affects Pimcore, an open-source data and experience management platform, in versions prior to 12.3.1 and 11.5.14. The vulnerability arises because the http_error_log file logs sensitive data from the $_COOKIE and $_SERVER superglobals, including database passwords, session cookies, and other potentially confidential details. This information exposure through log files (CWE-532) has a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L), indicating high severity due to significant confidentiality impact.

Unauthenticated attackers with network access can exploit this vulnerability by accessing the http_error_log file through the Pimcore backend, without requiring privileges or user interaction. Successful exploitation allows recovery of sensitive credentials and session data, potentially enabling further compromise such as unauthorized database access, session hijacking, or lateral movement within the environment, alongside limited integrity and availability disruption.

Mitigation is available through patches released for the affected branches: upgrade to Pimcore 12.3.1 or 11.5.14. The fixes are detailed in GitHub commit 002ec7d5f84973819236796e5b314703b58e8601, pull request #18918, and the corresponding release tags, with additional guidance in the GHSA-q433-j342-rp9h security advisory.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be…

more

accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Direct exposure of credentials (DB passwords) and session cookies in accessible log files enables T1552.001 (Credentials In Files) and T1539 (Steal Web Session Cookie).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23492Same product: Pimcore Pimcore
CVE-2024-11956Same product: Pimcore Pimcore
CVE-2025-27617Same product: Pimcore Pimcore
CVE-2026-44052Shared CWE-532
CVE-2026-25193Shared CWE-532
CVE-2024-7577Shared CWE-532
CVE-2026-24762Shared CWE-532
CVE-2026-34487Shared CWE-532
CVE-2026-44516Shared CWE-532
CVE-2025-1075Shared CWE-532

Affected Assets

pimcore
pimcore
≤ 11.5.14 · 12.0.0 — 12.3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Defines audit record content to exclude sensitive information such as database passwords and session data from $_COOKIE and $_SERVER variables in http_error_log files.

prevent

Protects audit information in log files from unauthorized access through the Pimcore backend by unauthenticated attackers.

prevent

Ensures error handling in http_error_log does not disclose sensitive information like credentials and session data.

References