Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Requires authenticated Panel access (PR:L) and a non-default role configuration disabling pages.access (AC:H); impact is read-only title disclosure only (C:L, I:N, A:N).
Primary rating from Vendor (https://github.com/getkirby/kirby).
CVSS VectorVendor: https://github.com/getkirby/kirby
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
TL;DR
This vulnerability affects all Kirby sites that use the pages field and where users of a particular role have no permission to access pages (pages.access permission is disabled). This can be due to configuration in the user blueprint(s), options in the model blueprint(s), or a combination of both settings.
It was possible to confirm the existence of arbitrary pages and to retrieve the value of the title field of the pages found.
The vulnerability can only be exploited by authenticated users. Write actions are *not* affected by this vulnerability.
----
Introduction
Missing authorization allows authenticated users to perform actions they are not intended to have access to.
The effects of missing authorization can include unauthorized access to sensitive information as well as unauthorized changes to content or system information.
Affected components
Kirby's user permissions control which user role is allowed to perform specific actions on content models in the CMS. These permissions are defined for each role in the user blueprint (site/blueprints/users/...). It is also possible to customize the permissions for each target model in the model blueprints (such as in site/blueprints/pages/...) using the options feature. The permissions and options together control the authorization of user actions.
Kirby provides the pages.access and pages.list permissions (among others). The list permission controls whether affected models appear in lists throughout the Panel and REST API. The access permission has the same effect but also disables direct access to the affected models.
This vulnerability affects the backend logic for the page picker that is used in the pages field to select pages. The picker is opened based on a user-provided parent page or the site model.
Impact
In affected releases, the backend logic did not validate that the user-provided parent page or site was accessible to the current user. This allowed authenticated attackers with knowledge of the full path to an existing page to confirm the existence of a particular page and to retrieve the value of the title field of that page. This could lead to the disclosure of sensitive information.
Patches
The problem has been patched in Kirby 4.9.4 and Kirby 5.4.4. Please update to one of these or a later version to fix the vulnerability.
In all of the mentioned releases, we have added a check verifying that the requested parent page or site is accessible to the current user before returning the picker data.
AnalysisAI
Missing authorization in Kirby CMS's page picker backend exposes restricted page metadata to authenticated users whose roles have pages.access disabled. Affected sites running Kirby up to 4.9.3 or between 5.0.0-alpha.1 and 5.4.3 allow such users to confirm the existence of arbitrary pages and read their title fields by supplying a known page path directly to the picker endpoint - bypassing role-based access controls. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an active authenticated session in the Kirby Panel belonging to a role for which `pages.access` has been explicitly disabled - either in the role's user blueprint (`site/blueprints/users/<role>.yml`) or through per-model `options` in a page blueprint. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No official CVSS score was provided by NVD or the vendor for this CVE; the assessment below is independently derived. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Kirby Panel user holding a role with `pages.access` disabled crafts a direct REST API request to the page picker endpoint, supplying the known path of a restricted parent page (e.g., a draft or internal section). Because the picker handler omits the `pages.access` authorization check, it returns the picker payload including the page title, confirming the page exists and revealing its title. … |
| Remediation | Update to Kirby 4.9.4 (https://github.com/getkirby/kirby/releases/tag/4.9.4) or Kirby 5.4.4 (https://github.com/getkirby/kirby/releases/tag/5.4.4), or any subsequent release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42667
GHSA-23q2-54qv-rq5x