Kirby CMS CVE-2026-42051
MEDIUMSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
TL;DR
This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users.
----
Introduction
Missing authorization allows authenticated users to perform actions they are not intended to have access to.
The effects of missing authorization can include unauthorized access to sensitive information as well as unauthorized changes to content or system information.
Impact
Kirby's user permissions control which user role is allowed to perform specific actions in the CMS. These permissions are defined for each role in the user blueprint (site/blueprints/users/...). The permissions control the authorization of user actions (with handling of model-specific authorization omitted here for brevity).
Kirby provides the access.system permission (among others) that controls access to the system area of the Kirby Panel. This area contains internal system information like the installed Kirby, plugin and server versions, security state and Kirby license. If the access.system permission is disabled for a user role, users of that role should not be able to access this internal system information. However it is also possible to access some system information via the /api/system REST API endpoint. In affected releases, the response of this endpoint for authenticated users contained the installed Kirby version and the status, type and code of the installed Kirby license. These values are considered sensitive information and should be protected by the access.system permission.
The installed Kirby version and license data can be used by malicious actors during reconnaissance when planning a separate attack.
Patches
The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. Please update to one of these or a later version to fix the vulnerability.
In all of the mentioned releases, we have protected the version and license properties of the /api/system endpoint with a check for the existing access.system permission. This ensures that the REST API only outputs information that should be accessible to the user via the Panel.
Credits
Kirby thanks @HuajiHD and @0x-bala for responsibly reporting the identified issue.
AnalysisAI
Missing authorization in Kirby CMS allows authenticated Panel users without access.system permission to retrieve sensitive system information including installed Kirby version and license data via the /api/system REST API endpoint. This information can be leveraged for reconnaissance during subsequent attacks. Vendor-released patches: Kirby 4.9.0 and 5.4.0.
Technical ContextAI
Kirby CMS implements role-based access control through user permissions defined in user blueprints. The access.system permission explicitly controls visibility of internal system information including Kirby version, plugin versions, server information, security state, and license details. The vulnerability stems from an authorization check failure (CWE-862: Missing Authorization) in the REST API layer at the /api/system endpoint. While the Panel UI respects the access.system permission check, the REST API endpoint failed to enforce this same permission control, allowing authenticated users to bypass intended authorization boundaries and access protected system metadata through API requests.
RemediationAI
Vendor-released patches are available: upgrade to Kirby 4.9.0 for the 4.x branch or Kirby 5.4.0 for the 5.x branch, or any later release. Upgrading to Kirby 5 is strongly recommended. For environments unable to immediately patch, implement a temporary compensating control by restricting REST API access to the /api/system endpoint via web server configuration (nginx location block or Apache .htaccess) or reverse proxy rules, limiting access by IP address or requiring additional authentication headers. This control mitigates reconnaissance attacks but may break legitimate API integrations; coordinate with application teams before deployment. The fix ensures that access.system permission checks are enforced at the REST API layer, consistent with Panel UI authorization behavior. Patch details and release notes: https://github.com/getkirby/kirby/releases/tag/4.9.0 and https://github.com/getkirby/kirby/releases/tag/5.4.0.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-x68m-c7jf-2572