CVE-2026-5394
My name is Oscar Uribe, Security Researcher at Fluid Attacks. I am reaching out because we have identified a security vulnerability in Pimcore 12.3.3 that we would like to report to you so we can coordinate a responsible disclosure together.
As part of our standard disclosure measures, we follow a timeline (outlined at https://fluidattacks.com/advisories/policy), which is aligned with ISO/IEC 29147:2018 and ISO/IEC 30111:2019. In short, the timeline works as follows: we ask for acknowledgment of the report within a few days of your first accessing it, and from there, we are happy to coordinate a joint disclosure date with you, typically within 90 days of the initial discovery. This gives your team reasonable time to assess, develop, and release a fix.
We have reserved the CVE ID "CVE-2026-5394" for this issue, and the advisory will eventually be published at https://fluidattacks.com/advisories/dragons. We are committed to coordinating the timing of that publication with you.
Please feel free to reach out if you have any questions about the report, the process, or the timeline. We are glad to work with you on this.
Description
An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend.
The vulnerable flow accepts compositeIndices from imported JSON, stores the values without strict validation, and later concatenates them directly into ALTER TABLE ... DROP INDEX and ALTER TABLE ... ADD INDEX statements executed through Doctrine DBAL.
Although the original report focused on compositeIndices.index_key, independent code review shows that the strongest and most reliable injection point is compositeIndices.index_columns, because it is inserted verbatim inside the ADD INDEX (...) clause. This permits injection of additional ALTER TABLE subclauses against Pimcore object tables without relying on stacked queries.
Vulnerability
Root c
⚡ Watch CVE-2026-5394
Get an email if CVE-2026-5394 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.35% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 27% of all EPSS-scored CVEs.
Advisory coverage (1)
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-5394)