Kirby CMS CVE-2026-44176
MEDIUMSeverity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (https://github.com/getkirby/kirby) · only source for this CVE.
CVSS VectorVendor: https://github.com/getkirby/kirby
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
TL;DR
This vulnerability affects all Kirby sites where users of a particular role have no permission to access pages (pages.access permission is disabled). This can be due to configuration in the user blueprint(s), via options in the model blueprint(s) or via a combination of both settings.
Kirby sites are *not* affected if they intend all users of the site to be able to access all page drafts of the site. The vulnerability can only be exploited by authenticated users. Write actions are *not* affected by this vulnerability.
----
Introduction
Missing authorization allows authenticated users to perform actions they are not intended to have access to.
The effects of missing authorization can include unauthorized access to sensitive information as well as unauthorized changes to content or system information.
Affected components
Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (site/blueprints/users/...). It is also possible to customize the permissions for each target model in the model blueprints (such as in site/blueprints/pages/...) using the options feature. The permissions and options together control the authorization of user actions.
Kirby provides the pages.access and pages.list permissions (among others). The list permission controls whether affected models appear in lists throughout the Panel and REST API. The access permission has the same effect but also disables direct access to the affected models.
This vulnerability affects the path resolver for the main CMS router. The resolver takes an input path from the requested URL and determines which model (page or file) should be rendered. When a path is requested that points to a page draft, the resolver checks that the request either contains a valid preview token or is authenticated by a valid user.
Impact
In affected releases, Kirby allowed page drafts to be rendered if any valid user was authenticated, even if that user did not have access to the specific page model. Authenticated attackers with knowledge of the full path to an existing page draft could then access the rendered frontend page. This could lead to the disclosure of sensitive information, e.g. ahead of the launch of a new product or post.
Patches
The problem has been patched in Kirby 4.9.1 and Kirby 5.4.1. Please update to one of these or a later version to fix the vulnerability.
In all of the mentioned releases, Kirby has added a check that verifies that the requested page draft is accessible to the current user before rendering the draft template.
Credits
Kirby thank to @adrgs for responsibly reporting the identified issue.
AnalysisAI
Kirby CMS's path resolver fails to enforce pages.access permission checks when rendering page drafts, allowing authenticated users who lack access to specific page models to view those drafts by knowing the full URL path. Affected installations are those explicitly configured to restrict certain user roles from accessing pages via pages.access: false in user or model blueprints - sites where all users may access all pages are unaffected. No public exploit or CISA KEV listing exists at time of analysis, but the impact is information disclosure of unpublished content such as pre-launch product pages or embargoed posts.
Technical ContextAI
Kirby CMS (composer package getkirby/cms) is a flat-file PHP CMS with a role-based permission system defined in YAML blueprints. The vulnerability (CWE-862: Missing Authorization) resides in the main CMS router's path resolver component. When a URL path corresponding to a page draft is requested, the resolver performs an authentication check - verifying the request is from a valid user or carries a preview token - but omits the subsequent authorization check that would validate the user's pages.access permission for that specific page model. This two-step flaw (authentication without authorization) means passing the first gate (any valid session) bypasses the intended second gate (model-level access control). Affected versions span two release branches: <= 4.9.0 and >= 5.0.0, <= 5.4.0 per NVD CPE data from the GitHub Advisory (GHSA-2xw4-v2wx-hqq9).
RemediationAI
The primary fix is to upgrade to Kirby 5.4.1 or later (recommended); users unable to upgrade to Kirby 5 should apply the backport release 4.9.1, or preferably 4.9.2 which also addresses a separate symfony/yaml vulnerability. Both releases add an explicit authorization check in the path resolver to verify the requesting user has pages.access permission for the target page model before rendering the draft. Advisory and release notes are at https://github.com/getkirby/kirby/security/advisories/GHSA-2xw4-v2wx-hqq9. If an immediate upgrade is not feasible, a compensating control is to audit and tighten session management - revoke active sessions for roles that should not access restricted drafts and ensure draft URL paths are not discoverable (e.g., do not expose them in sitemaps, link previews, or internal communications accessible to restricted users). This workaround does not eliminate the vulnerability but reduces exploitability by limiting attacker knowledge of valid draft paths.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-2xw4-v2wx-hqq9