High severityOSV Advisory· Published Jan 15, 2026· Updated Jan 15, 2026
Pimcore ENV Variables and Cookie Informations are exposed in http_error_log
CVE-2026-23493
Description
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pimcore/pimcorePackagist | >= 12.0.0-RC1, < 12.3.1 | 12.3.1 |
pimcore/pimcorePackagist | < 11.5.14 | 11.5.14 |
Affected products
1Patches
1002ec7d5f849[Security]: Remove and disable sensitive data log in http error Log (#18918)
7 files changed · +57 −23
bundles/CoreBundle/src/Migrations/Version20251217000100.php+44 −0 added@@ -0,0 +1,44 @@ +<?php + +declare(strict_types=1); + +/** + * Pimcore + * + * This source file is available under two different licenses: + * - GNU General Public License version 3 (GPLv3) + * - Pimcore Commercial License (PCL) + * Full copyright and license information is available in + * LICENSE.md which is distributed with this source code. + * + * @copyright Copyright (c) Pimcore GmbH (http://www.pimcore.org) + * @license http://www.pimcore.org/license GPLv3 and PCL + */ + +namespace Pimcore\Bundle\CoreBundle\Migrations; + +use Doctrine\DBAL\Schema\Schema; +use Doctrine\Migrations\AbstractMigration; + +final class Version20251217000100 extends AbstractMigration +{ + public function getDescription(): string + { + return 'Remove parametersPost, cookies and serverVars from http_error_log'; + } + + public function up(Schema $schema): void + { + $this->addSql(' + ALTER TABLE `http_error_log` + DROP COLUMN `parametersPost`, + DROP COLUMN `cookies`, + DROP COLUMN `serverVars` + '); + } + + public function down(Schema $schema): void + { + // do nothing + } +}
bundles/CoreBundle/translations/admin.sk.yaml+0 −1 modified@@ -105,7 +105,6 @@ show_in_tree: "Zobrazi\u0165 v strome" exactmatch: "presn\xE1 zhoda" desktop: "Stoln\xFD po\u010D\xEDta\u010D" drag_me: Potiahni ma -serverVars: "Premenn\xE9 serveru" attributes: "Atrib\xFAty" code: "K\xF3d" tag: Tag
bundles/CoreBundle/translations/admin.sv_fi.yaml+0 −1 modified@@ -100,7 +100,6 @@ show_in_tree: "Visa i tr\xE4dstruktur" exactmatch: Exakt matching desktop: Dator drag_me: Dra mig -serverVars: Server-variabler attributes: Attribut code: Kod tag: Tag
bundles/SeoBundle/src/Controller/MiscController.php+2 −2 modified@@ -63,7 +63,7 @@ public function httpErrorLogAction(Request $request): JsonResponse $filter = $db->quote('%' . $filter . '%'); $conditionParts = []; - foreach (['uri', 'code', 'parametersGet', 'parametersPost', 'serverVars', 'cookies'] as $field) { + foreach (['uri', 'code', 'parametersGet'] as $field) { $conditionParts[] = $field . ' LIKE ' . $filter; } $condition = ' WHERE ' . implode(' OR ', $conditionParts); @@ -96,7 +96,7 @@ public function httpErrorLogDetailAction(Request $request, ?Profiler $profiler): $data = $db->fetchAssociative('SELECT * FROM http_error_log WHERE uri = ?', [$request->query->getString('uri')]); foreach ($data as $key => &$value) { - if (in_array($key, ['parametersGet', 'parametersPost', 'serverVars', 'cookies'])) { + if ($key === 'parametersGet') { $value = unserialize($value); } }
bundles/SeoBundle/src/EventListener/ResponseExceptionListener.php+0 −3 modified@@ -91,9 +91,6 @@ protected function logToHttpErrorLog(Request $request, int $statusCode): void 'uri' => $uri, 'code' => $statusCode, 'parametersGet' => serialize($_GET), - 'parametersPost' => serialize($_POST), - 'cookies' => serialize($_COOKIE), - 'serverVars' => serialize($_SERVER), 'date' => time(), 'count' => 1, ]);
bundles/SeoBundle/src/Resources/install/install.sql+0 −3 modified@@ -3,9 +3,6 @@ CREATE TABLE IF NOT EXISTS `http_error_log` ( `uri` varchar(1024) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT NULL, `code` int(3) DEFAULT NULL, `parametersGet` longtext, - `parametersPost` longtext, - `cookies` longtext, - `serverVars` longtext, `date` int(11) unsigned DEFAULT NULL, `count` bigint(20) unsigned DEFAULT NULL, PRIMARY KEY (`id`),
bundles/SeoBundle/templates/misc/http_error_log_detail.html.twig+11 −13 modified@@ -44,19 +44,17 @@ <h2>{{ data["code"] }} | {{ data["uri"] }}</h2> {% for key,value in data %} - {% if key in ["parametersGet", "parametersPost", "serverVars", "cookies"] %} - {% if value is not empty %} - <h2 class="sub">{{ key|trans([], 'admin') }}</h2> - - <table> - {% for key,value in value %} - <tr> - <th valign="top">{{ key }}</th> - <td valign="top">{{ value }}</td> - </tr> - {% endfor %} - </table> - {% endif %} + {% if value is not empty and key == "parametersGet" %} + <h2 class="sub">{{ key|trans([], 'admin') }}</h2> + + <table> + {% for key,value in value %} + <tr> + <th valign="top">{{ key }}</th> + <td valign="top">{{ value }}</td> + </tr> + {% endfor %} + </table> {% endif %} {% endfor %}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-q433-j342-rp9hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-23493ghsaADVISORY
- github.com/pimcore/pimcore/commit/002ec7d5f84973819236796e5b314703b58e8601ghsax_refsource_MISCWEB
- github.com/pimcore/pimcore/pull/18918ghsax_refsource_MISCWEB
- github.com/pimcore/pimcore/releases/tag/v11.5.14ghsax_refsource_MISCWEB
- github.com/pimcore/pimcore/releases/tag/v12.3.1ghsax_refsource_MISCWEB
- github.com/pimcore/pimcore/security/advisories/GHSA-q433-j342-rp9hghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.