Pimcore Platform SQL Injection in DataObject Composite Index Handling
A SQL injection vulnerability exists in Pimcore Platform when handling DataObject composite indices during class definition import/save, allowing an authenticated administrative user to inject attacker-controlled composite index metadata, leading to unintended SQL execution in the backend, specifically via the `index_columns` element.
Pimcore Platform is vulnerable to SQL injection in the handling of DataObject composite indices during class definition import and save. An authenticated administrative user with the ability to import or save DataObject class definitions can inject attacker-controlled composite index metadata, leading to unintended SQL execution in the backend. The vulnerability lies in the lack of proper validation of the index_columns element within compositeIndices, which is directly concatenated into ALTER TABLE statements. This allows for the injection of arbitrary SQL, potentially leading to unauthorized schema modification, denial of service, and data integrity compromise. The issue affects Pimcore versions up to and including 12.3.6, with the vulnerability residing in the compositeIndices handling during class definition import/save operations.
Attack Chain
- An attacker authenticates as an administrative user with privileges to manage DataObject class definitions.
- The attacker crafts a malicious JSON payload containing a
compositeIndicessection. - Within the
compositeIndicessection, the attacker injects SQL code into theindex_columnsfield. For example:"slider), DROP COLUMN \oo_className` -- "` - The attacker imports the crafted JSON payload via the
/pimcore-studio/api/class/definition/configuration-view/detail/1/importendpoint or saves the class definition through the administrative workflow. importClassDefinitionFromJson()decodes the attacker-controlled JSON and forwardscompositeIndicestosetCompositeIndices().setCompositeIndices()stores the values without sanitizing identifier content.ClassDefinition::save()reachesClassDefinition\Dao::update()which then callsupdateCompositeIndices()on tables likeobject_store_<classId>andobject_query_<classId>.- The injected SQL code is concatenated into an
ALTER TABLEstatement, which is then executed against the Pimcore database via Doctrine DBAL, leading to unintended schema modifications.
Impact
The SQL injection vulnerability allows a privileged attacker to alter backend SQL behavior during class-definition import/save, resulting in schema modification on Pimcore object tables. This can lead to unauthorized schema changes, backend denial of service by breaking expected table layouts, and data integrity issues for DataObject storage and queries. Versions up to and including v12.3.6 are vulnerable.
Recommendation
- Deploy the Sigma rule "Detect Pimcore SQL Injection via Composite Index Manipulation" to your SIEM and tune for your environment to detect exploitation attempts (rules).
- Apply input validation and sanitization to the
index_columnsfield inPimcore\Model\DataObject\ClassDefinition::setCompositeIndices()to prevent SQL injection (code). - Upgrade Pimcore to a patched version that addresses CVE-2026-5394 when available.
- Monitor web server logs for POST requests to
/pimcore-studio/api/class/definition/configuration-view/detail/*/importwith suspicious characters in thecompositeIndicesparameter (logs).
Detection coverage 2
Detect Pimcore SQL Injection via Composite Index Manipulation
highDetects CVE-2026-5394 exploitation - Attempts to inject SQL commands into the `index_columns` field during class definition import/save in Pimcore.
Detect Pimcore Class Definition Import with Suspicious Composite Indices
mediumDetects suspicious characters or commands within the Composite Indices parameters when importing or saving class definitions in Pimcore, potentially indicating SQL injection attempts.
Detection queries are available on the platform. Get full rules →