Skip to main content

Kirby CMS CVE-2026-50188

| EUVDEUVD-2026-42669 MEDIUM
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-06-18 https://github.com/getkirby/kirby GHSA-4v4h-m2qq-ppgw
6.9
CVSS 4.0 · Vendor: https://github.com/getkirby/kirby
Share

Severity by source

Vendor (https://github.com/getkirby/kirby) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.7 HIGH

AC:H reflects the non-default condition requiring user input to reach Remote headers; S:C because impact falls on a separate upstream system; A:N as no availability impact is described.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (https://github.com/getkirby/kirby).

CVSS VectorVendor: https://github.com/getkirby/kirby

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jul 09, 2026 - 19:22 NVD
6.9 (MEDIUM)
Source Code Evidence Fetched
Jun 18, 2026 - 16:02 vuln.today
Analysis Generated
Jun 18, 2026 - 16:02 vuln.today

DescriptionCVE.org

TL;DR

This vulnerability affects Kirby sites and plugins that use the Kirby\Http\Remote class (including Remote::request(), Remote::get(), Remote::post(), and similar helpers) to send outgoing HTTP requests and that pass untrusted, user-controlled data into the headers option of such a request.

By including newline characters in the value of the header, it was possible to inject a separate, independent header that was not intended to be set.

A successful attack requires that an application or plugin forwards attacker-influenced input into a request header value. Sites that only send static, developer-defined headers are *not* affected. The attack does not target Panel users or site visitors directly; it targets the remote service that Kirby connects to.

In Kirby's default configuration, the Remote class is not exposed to untrusted input, so a default installation is *not* affected. The vulnerability becomes relevant for custom code, plugins, or integrations that build request headers from user input.

----

Introduction

HTTP header injection (also known as CRLF injection) is a type of vulnerability that allows an attacker to insert additional, attacker-controlled HTTP headers into a request or response. HTTP headers are separated by carriage-return and line-feed characters (\r\n). If untrusted data containing these characters is placed into a header value without sanitization, an attacker can terminate the intended header early and append headers of their own.

For outgoing requests, this means an attacker who controls part of a header value can add or override headers that the application did not intend to send. Depending on the remote service, this can be used to override security-relevant headers (such as Authorization, Host, or Cookie), to smuggle requests, or to poison caches on the upstream system.

Such vulnerabilities are relevant if untrusted input can reach the header values of an outgoing request - for example, a user-configurable API token, a forwarded tracking identifier, or any other value that originates from a request, form field, or content file.

Affected components

The Kirby\Http\Remote class is used throughout Kirby and by plugins to perform outgoing HTTP requests. Its headers option allows callers to define the headers sent with the request.

As the vulnerability is in the way Remote assembles these headers, it affects all code paths that send a Remote request whose header values contain untrusted data. The Kirby core itself has not passed untrusted data in that way, but plugins or custom code might have used the class in such a way.

Impact

In affected releases, header values passed to Remote were handed to the cURL request library without removing newline characters:

The headers option accepted arbitrary strings as header values and forwarded them to the underlying cURL request unchanged. A value containing \r\n was written verbatim to the socket and therefore split into several header lines on the wire.

For example, a single X-Foo header value of "Bar\r\nX-Injected: pwned" produced two separate headers in the outgoing request:

X-Foo: Bar
X-Injected: pwned

The receiving server parsed X-Injected: pwned as its own header. In the same way, an attacker could override a header that the application set earlier in the same request (for example, replacing a legitimate Authorization header).

The vulnerability allows attackers to inject or override HTTP headers in outgoing requests, provided the affected application or plugin includes attacker-controlled data in a header value.

Patches

The problem has been patched in Kirby 4.9.4 and Kirby 5.4.4. Please update to one of these or a later version to fix the vulnerability.

In all of the mentioned releases, we now strip carriage-return and line-feed characters from header values before they are passed to the underlying request, preventing additional headers from being injected.

AnalysisAI

HTTP header injection (CRLF injection) in Kirby CMS's Kirby\Http\Remote class allows attackers who can influence outgoing request header values to inject or override arbitrary HTTP headers sent to upstream services. Affected are sites running Kirby versions up to 4.9.3 or 5.0.0-alpha.1 through 5.4.3 where custom code, plugins, or integrations pass user-controlled data into the headers option of Remote requests - the default Kirby installation is not affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Submit crafted input containing CRLF characters
Delivery
Application passes value to Remote::request() headers option
Exploit
cURL writes raw CRLF sequence to TCP socket
Execution
Remote service HTTP parser splits value into separate header lines
Persist
Injected header (e.g., Authorization) overrides intended value
Impact
Attacker gains unauthorized access to upstream API or poisons upstream cache

Vulnerability AssessmentAI

Exploitation Exploitation requires that a Kirby site or plugin explicitly passes attacker-influenced data - such as a value from a form field, query parameter, request header forwarded from a user, or a user-editable content file - into the `headers` option of any `Kirby\Http\Remote` call (`Remote::request()`, `Remote::get()`, `Remote::post()`, or equivalent helpers). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No official CVSS score or EPSS data has been assigned, so quantitative risk signals are absent and all metric assessments are inferred from the advisory description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a crafted form field or API parameter - for example, a user-configurable API token or tracking identifier - containing the character sequence `\r\nAuthorization: attacker-value` to a Kirby site whose plugin or custom code passes this value directly into the `headers` option of a `Remote::get()` or `Remote::post()` call. The `Remote` class forwards the raw string to cURL, which writes it verbatim to the TCP socket; the upstream service's HTTP parser treats the injected text as a standalone `Authorization` header, overriding the legitimate credential and granting the attacker the ability to impersonate the Kirby application to the remote API. …
Remediation The primary remediation is to upgrade to Kirby 4.9.4 (for sites on the 4.x branch, release at https://github.com/getkirby/kirby/releases/tag/4.9.4) or Kirby 5.4.4 (for sites on the 5.x branch, release at https://github.com/getkirby/kirby/releases/tag/5.4.4). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-50188 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy