Description
Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. For pages, Kirby provides the `pages.create` and `pages.changeStatus` permissions (among others). Prior to versions 4.9.0 and 5.4.0, Kirby checked these permissions independently and only for the respective action. However the `changeStatus` permission didn't take effect on page creation. New pages are created as drafts by default and need to be published by changing the page status of an existing page draft. This is ensured when the page is created via the Kirby Panel. However the REST API allows to override the `isDraft` flag when creating a new page. This allowed authenticated attackers with the `pages.create` permission to immediately create published pages, bypassing the normal editorial workflow. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. Kirby has added a check to the page creation rules that ensures that users without the `pages.changeStatus` permission cannot create published pages, only page drafts.
Published: 2026-04-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized publishing of pages by bypassing the changeStatus permission
Action: Patch immediately
AI Analysis

Impact

Kirby’s page creation API incorrectly allows the isDraft flag to be overridden, enabling any authenticated user with the pages.create permission to publish pages directly. Because the changeStatus permission is not enforced at page creation time, an attacker can add content that bypasses the normal editorial workflow and immediately makes it visible to all users. This can lead to accidental exposure of incomplete or inappropriate content and can be leveraged by malicious attackers to inject or modify site content without the oversight normally provided by editorial reviews.

Affected Systems

The vulnerability affects all installations of the Kirby content management system running a version earlier than 4.9.0 or 5.4.0. Users who have configured roles with only the pages.create permission—without also granting pages.changeStatus—are at risk because the API does not check for the latter during page creation.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity while the EPSS score of less than 1% suggests that exploitation is unlikely at this time. The vulnerability is not listed in CISA’s KEV catalog. Attackers must first authenticate and obtain the pages.create permission, then use the REST API’s unfiltered isDraft parameter to create a published page. Once posted, the page is immediately visible to all site visitors, providing an efficient vector for content injection or misinformation. The risk is highest when user roles are overly permissive or the CMS is exposed to a large user base.

Generated by OpenCVE AI on April 28, 2026 at 07:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kirby to at least version 4.9.0 or 5.4.0 where the isDraft check is enforced during page creation
  • Verify that roles which do not require publishing capabilities are not granted the pages.changeStatus permission
  • Review API access controls to ensure that the isDraft parameter cannot be set to true by unauthenticated or low‑privilege users
  • Test content creation workflows after patching to confirm that published pages cannot be bypassed through the API

Generated by OpenCVE AI on April 28, 2026 at 07:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w942-j9r6-hr6r Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter
History

Mon, 27 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Getkirby
Getkirby kirby
CPEs cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*
Vendors & Products Getkirby
Getkirby kirby
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Sat, 25 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. For pages, Kirby provides the `pages.create` and `pages.changeStatus` permissions (among others). Prior to versions 4.9.0 and 5.4.0, Kirby checked these permissions independently and only for the respective action. However the `changeStatus` permission didn't take effect on page creation. New pages are created as drafts by default and need to be published by changing the page status of an existing page draft. This is ensured when the page is created via the Kirby Panel. However the REST API allows to override the `isDraft` flag when creating a new page. This allowed authenticated attackers with the `pages.create` permission to immediately create published pages, bypassing the normal editorial workflow. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. Kirby has added a check to the page creation rules that ensures that users without the `pages.changeStatus` permission cannot create published pages, only page drafts.
Title Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Getkirby Kirby
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-25T01:41:56.640Z

Reserved: 2026-04-09T01:41:38.536Z

Link: CVE-2026-40099

cve-icon Vulnrichment

Updated: 2026-04-25T01:41:50.543Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T01:16:12.273

Modified: 2026-04-27T19:12:30.627

Link: CVE-2026-40099

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:15:19Z

Weaknesses