Skip to main content

Kirby CMS CVE-2026-49274

| EUVDEUVD-2026-42667 MEDIUM
Missing Authorization (CWE-862)
2026-06-18 https://github.com/getkirby/kirby GHSA-23q2-54qv-rq5x
5.3
CVSS 4.0 · Vendor: https://github.com/getkirby/kirby
Share

Severity by source

Vendor (https://github.com/getkirby/kirby) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.1 LOW

Requires authenticated Panel access (PR:L) and a non-default role configuration disabling pages.access (AC:H); impact is read-only title disclosure only (C:L, I:N, A:N).

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/getkirby/kirby).

CVSS VectorVendor: https://github.com/getkirby/kirby

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jul 09, 2026 - 19:22 NVD
5.3 (MEDIUM)
Source Code Evidence Fetched
Jun 18, 2026 - 16:01 vuln.today
Analysis Generated
Jun 18, 2026 - 16:01 vuln.today

DescriptionCVE.org

TL;DR

This vulnerability affects all Kirby sites that use the pages field and where users of a particular role have no permission to access pages (pages.access permission is disabled). This can be due to configuration in the user blueprint(s), options in the model blueprint(s), or a combination of both settings.

It was possible to confirm the existence of arbitrary pages and to retrieve the value of the title field of the pages found.

The vulnerability can only be exploited by authenticated users. Write actions are *not* affected by this vulnerability.

----

Introduction

Missing authorization allows authenticated users to perform actions they are not intended to have access to.

The effects of missing authorization can include unauthorized access to sensitive information as well as unauthorized changes to content or system information.

Affected components

Kirby's user permissions control which user role is allowed to perform specific actions on content models in the CMS. These permissions are defined for each role in the user blueprint (site/blueprints/users/...). It is also possible to customize the permissions for each target model in the model blueprints (such as in site/blueprints/pages/...) using the options feature. The permissions and options together control the authorization of user actions.

Kirby provides the pages.access and pages.list permissions (among others). The list permission controls whether affected models appear in lists throughout the Panel and REST API. The access permission has the same effect but also disables direct access to the affected models.

This vulnerability affects the backend logic for the page picker that is used in the pages field to select pages. The picker is opened based on a user-provided parent page or the site model.

Impact

In affected releases, the backend logic did not validate that the user-provided parent page or site was accessible to the current user. This allowed authenticated attackers with knowledge of the full path to an existing page to confirm the existence of a particular page and to retrieve the value of the title field of that page. This could lead to the disclosure of sensitive information.

Patches

The problem has been patched in Kirby 4.9.4 and Kirby 5.4.4. Please update to one of these or a later version to fix the vulnerability.

In all of the mentioned releases, we have added a check verifying that the requested parent page or site is accessible to the current user before returning the picker data.

AnalysisAI

Missing authorization in Kirby CMS's page picker backend exposes restricted page metadata to authenticated users whose roles have pages.access disabled. Affected sites running Kirby up to 4.9.3 or between 5.0.0-alpha.1 and 5.4.3 allow such users to confirm the existence of arbitrary pages and read their title fields by supplying a known page path directly to the picker endpoint - bypassing role-based access controls. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Kirby Panel
Delivery
Select role with pages.access disabled
Exploit
Craft picker API request with restricted page path
Execution
Picker backend skips access authorization check
Persist
Receive picker response containing page title
Impact
Confirm page existence and disclose title data

Vulnerability AssessmentAI

Exploitation Exploitation requires an active authenticated session in the Kirby Panel belonging to a role for which `pages.access` has been explicitly disabled - either in the role's user blueprint (`site/blueprints/users/<role>.yml`) or through per-model `options` in a page blueprint. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No official CVSS score was provided by NVD or the vendor for this CVE; the assessment below is independently derived. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Kirby Panel user holding a role with `pages.access` disabled crafts a direct REST API request to the page picker endpoint, supplying the known path of a restricted parent page (e.g., a draft or internal section). Because the picker handler omits the `pages.access` authorization check, it returns the picker payload including the page title, confirming the page exists and revealing its title. …
Remediation Update to Kirby 4.9.4 (https://github.com/getkirby/kirby/releases/tag/4.9.4) or Kirby 5.4.4 (https://github.com/getkirby/kirby/releases/tag/5.4.4), or any subsequent release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49274 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy