Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from Vendor (github) · only source for this CVE.
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Pimcore is an Open Source Data & Experience Management Platform. Prior to 2025.4.6 and 2026.1.6, an unauthenticated attacker who knows a valid admin username can take over any Pimcore admin account by sending a password reset request with an attacker-controlled resetPasswordUrl. The server generates a real cryptographic recovery token, appends it to the supplied URL, and emails the link to the victim; when the victim clicks the link, the token is sent to the attacker and can be used with POST /pimcore-studio/api/login/token to authenticate with full admin privileges while bypassing two-factor authentication. This issue is fixed in versions 2025.4.6 and 2026.1.6.
AnalysisAI
Full admin account takeover in Pimcore (Studio backend) before 2025.4.6 and 2026.1.6 lets an unauthenticated attacker who knows a valid admin username hijack that account by submitting a password-reset request with an attacker-controlled resetPasswordUrl; the server appends a genuine recovery token to that URL and emails it to the victim, so a single victim click leaks the token to the attacker, who authenticates via POST /pimcore-studio/api/login/token with full admin rights and bypasses 2FA. GitHub advisory GHSA-h854-c3m3-mh5v classifies this as an authentication bypass (CWE-640). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
Within 24 hours: Implement monitoring and alerting on all admin account password-reset requests and unusual login patterns; disable Pimcore password-reset functionality if operationally feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42698