Description
Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent specific role(s) from performing write actions, specifically by disabling the update permission with the intent to prevent modifications to site content. This vulnerability does not affect those who have not altered the deviated from default user permissions. This issue has been patched in version 5.2.2.
Published: 2026-01-08
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Content Modification
Action: Patch
AI Analysis

Impact

The vulnerability lies in Kirby CMS’ content changes API missing permission checks between versions 5.0.0 and 5.2.1, allowing users who normally lack write permissions to submit updates. Attackers with API access can modify or delete site content, bypassing configured role restrictions. This results in unintended content tampering and potential data loss.

Affected Systems

Kirby CMS version 5.0.0 through 5.2.1 installed on sites with modified permission settings. The vulnerability applies to all installations of the open‑source Kirby CMS during that version range, particularly those that have disabled the required update permission for certain roles.

Risk and Exploitability

The vulnerability has a CVSS score of 5.8, indicating moderate severity, and an EPSS score of less than 1%, implying a very low probability of exploitation. It is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector involves making authenticated or possibly unauthenticated API calls to the content changes endpoint on a site where write permissions have been disabled for certain roles; the attacker can then issue write operations that bypass authorization checks.

Generated by OpenCVE AI on April 18, 2026 at 07:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading Kirby to version 5.2.2 or newer
  • Review the site’s permission configuration to ensure that the update permission is granted only to appropriate roles
  • Implement logging or auditing of content changes to detect any unauthorized modifications

Generated by OpenCVE AI on April 18, 2026 at 07:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4j78-4xrm-cr2f Kirby is missing permission checks in the content changes API
History

Mon, 02 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N'}

Sat, 10 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Getkirby
Getkirby kirby
Vendors & Products Getkirby
Getkirby kirby

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Description Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent specific role(s) from performing write actions, specifically by disabling the update permission with the intent to prevent modifications to site content. This vulnerability does not affect those who have not altered the deviated from default user permissions. This issue has been patched in version 5.2.2.
Title Kirby is missing permission checks in the content changes API
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 5.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Getkirby Kirby
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-08T18:20:29.904Z

Reserved: 2026-01-05T17:24:36.930Z

Link: CVE-2026-21896

cve-icon Vulnrichment

Updated: 2026-01-08T18:19:36.491Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-08T18:15:59.593

Modified: 2026-02-02T19:02:51.850

Link: CVE-2026-21896

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:45:24Z

Weaknesses