Description
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. For pages, Kirby provides the `pages.create` and `pages.changeStatus` permissions (among others). In affected releases, Kirby checked these permissions independently and only for the respective action. However the `changeStatus` permission didn't take effect on page creation. New pages are created as drafts by default and need to be published by changing the page status of an existing page draft. This is ensured when the page is created via the Kirby Panel. However the REST API allows to override the `isDraft` flag when creating a new page. This allowed authenticated attackers with the `pages.create` permission to immediately create published pages, bypassing the normal editorial workflow. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. Kirby has updated the `Options` logic to no longer double-resolve queries in option values coming from `OptionsQuery` or `OptionsApi` sources. Kirby now only resolves queries that are directly configured in the blueprints.
Published: 2026-04-24
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation / Authorization Bypass
Action: Patch
AI Analysis

Impact

The vulnerability is an authorization flaw where the CMS’s REST API allows any authenticated user with the pages.create permission to set the isDraft flag to false, creating published content without requiring changeStatus permission. This bypasses the intended editorial workflow and enables malicious users to publish or modify content. The flaw stems from how the system resolves permission checks independently, leading to a privilege escalation scenario, classified as CWE-1336.

Affected Systems

Affected systems are installations of the Kirby content management system version 4.8.x and earlier, and version 5.3.x and earlier, before the release of 4.9.0 and 5.4.0 respectively. The vulnerability is present regardless of the front‑end or back‑end configuration, as long as the REST API is accessible.

Risk and Exploitability

The CVSS base score is 7.6, indicating moderate to high severity, but the EPSS score of less than 1% suggests an unlikely exploitation rate at present. The vulnerability is not listed in the CISA KEV catalog. Attackers need authenticated access and the ability to send REST API requests, so the attack vector is authenticated. Once authenticated, the attacker can immediately publish new pages, causing potential reputational and compliance damage.

Generated by OpenCVE AI on April 28, 2026 at 07:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kirby CMS to version 4.9.0 or 5.4.0 to fix the permission check logic.
  • If an upgrade cannot be performed immediately, disable or restrict the REST API endpoints that allow isDraft flag manipulation, or enforce that only users with changeStatus permission can set this flag.
  • Review and tighten user role permissions, ensuring that pages.create is only assigned to trusted users, and that pages.changeStatus is granted only when necessary, following the principle of least privilege.

Generated by OpenCVE AI on April 28, 2026 at 07:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jcjw-58rv-c452 Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering
History

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Getkirby
Getkirby kirby
CPEs cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*
Vendors & Products Getkirby
Getkirby kirby
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Fri, 24 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. For pages, Kirby provides the `pages.create` and `pages.changeStatus` permissions (among others). In affected releases, Kirby checked these permissions independently and only for the respective action. However the `changeStatus` permission didn't take effect on page creation. New pages are created as drafts by default and need to be published by changing the page status of an existing page draft. This is ensured when the page is created via the Kirby Panel. However the REST API allows to override the `isDraft` flag when creating a new page. This allowed authenticated attackers with the `pages.create` permission to immediately create published pages, bypassing the normal editorial workflow. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. Kirby has updated the `Options` logic to no longer double-resolve queries in option values coming from `OptionsQuery` or `OptionsApi` sources. Kirby now only resolves queries that are directly configured in the blueprints.
Title Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering
Weaknesses CWE-1336
References
Metrics cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Getkirby Kirby
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-24T18:18:17.883Z

Reserved: 2026-03-30T16:56:30.999Z

Link: CVE-2026-34587

cve-icon Vulnrichment

Updated: 2026-04-24T17:10:18.319Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T01:16:12.120

Modified: 2026-04-27T19:15:27.427

Link: CVE-2026-34587

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:15:19Z

Weaknesses