Skip to main content

Kirby CMS CVE-2026-42051

MEDIUM
Missing Authorization (CWE-862)
2026-05-04 https://github.com/getkirby/kirby GHSA-x68m-c7jf-2572
5.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
May 09, 2026 - 04:22 NVD
5.3 (MEDIUM)
Source Code Evidence Fetched
May 04, 2026 - 20:32 vuln.today
Analysis Generated
May 04, 2026 - 20:32 vuln.today

DescriptionGitHub Advisory

TL;DR

This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users.

----

Introduction

Missing authorization allows authenticated users to perform actions they are not intended to have access to.

The effects of missing authorization can include unauthorized access to sensitive information as well as unauthorized changes to content or system information.

Impact

Kirby's user permissions control which user role is allowed to perform specific actions in the CMS. These permissions are defined for each role in the user blueprint (site/blueprints/users/...). The permissions control the authorization of user actions (with handling of model-specific authorization omitted here for brevity).

Kirby provides the access.system permission (among others) that controls access to the system area of the Kirby Panel. This area contains internal system information like the installed Kirby, plugin and server versions, security state and Kirby license. If the access.system permission is disabled for a user role, users of that role should not be able to access this internal system information. However it is also possible to access some system information via the /api/system REST API endpoint. In affected releases, the response of this endpoint for authenticated users contained the installed Kirby version and the status, type and code of the installed Kirby license. These values are considered sensitive information and should be protected by the access.system permission.

The installed Kirby version and license data can be used by malicious actors during reconnaissance when planning a separate attack.

Patches

The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. Please update to one of these or a later version to fix the vulnerability.

In all of the mentioned releases, we have protected the version and license properties of the /api/system endpoint with a check for the existing access.system permission. This ensures that the REST API only outputs information that should be accessible to the user via the Panel.

Credits

Kirby thanks @HuajiHD and @0x-bala for responsibly reporting the identified issue.

AnalysisAI

Missing authorization in Kirby CMS allows authenticated Panel users without access.system permission to retrieve sensitive system information including installed Kirby version and license data via the /api/system REST API endpoint. This information can be leveraged for reconnaissance during subsequent attacks. Vendor-released patches: Kirby 4.9.0 and 5.4.0.

Technical ContextAI

Kirby CMS implements role-based access control through user permissions defined in user blueprints. The access.system permission explicitly controls visibility of internal system information including Kirby version, plugin versions, server information, security state, and license details. The vulnerability stems from an authorization check failure (CWE-862: Missing Authorization) in the REST API layer at the /api/system endpoint. While the Panel UI respects the access.system permission check, the REST API endpoint failed to enforce this same permission control, allowing authenticated users to bypass intended authorization boundaries and access protected system metadata through API requests.

RemediationAI

Vendor-released patches are available: upgrade to Kirby 4.9.0 for the 4.x branch or Kirby 5.4.0 for the 5.x branch, or any later release. Upgrading to Kirby 5 is strongly recommended. For environments unable to immediately patch, implement a temporary compensating control by restricting REST API access to the /api/system endpoint via web server configuration (nginx location block or Apache .htaccess) or reverse proxy rules, limiting access by IP address or requiring additional authentication headers. This control mitigates reconnaissance attacks but may break legitimate API integrations; coordinate with application teams before deployment. The fix ensures that access.system permission checks are enforced at the REST API layer, consistent with Panel UI authorization behavior. Patch details and release notes: https://github.com/getkirby/kirby/releases/tag/4.9.0 and https://github.com/getkirby/kirby/releases/tag/5.4.0.

Share

CVE-2026-42051 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy