Description
Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. Kirby provides the `pages.create`, `files.create` and `users.create` permissions (among others). These permissions can again be set in the user blueprint and/or in the blueprint of the target model via `options`. Prior to versions 4.9.0 and 5.4.0, Kirby allowed to override the `options` during the creation of pages, files and users by injecting custom dynamic blueprint configuration into the model data. The injected `options` could include `'create' => true`, which then caused an override of the permissions and options configured by the site developer in the user and model blueprints. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. The patched versions have updated the normalization code that is used during the creation of pages, files and users to include a filter for the `blueprint` property. This prevents the injection of dynamic blueprint configuration into the creation request.
Published: 2026-04-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass
Action: Patch Immediately
AI Analysis

Impact

Kirby CMS allows developers to define granular permissions in user and model blueprints. Prior to version 4.9.0 of the 4.x line and 5.4.0 of the 5.x line, the system permitted the injection of dynamic blueprint configuration into page, file, or user creation requests. An attacker could embed custom options that set a 'create' flag to true, thereby overriding the intended permissions and enabling creation of content or users without the required role. The vulnerability is categorized as CWE-863, improper authorization.

Affected Systems

The vulnerability applies to the open-source Kirby CMS product from getkirby:kirby. All releases before 4.9.0 and before 5.4.0 are vulnerable. Any installation that uses the default or custom page, file, or user blueprints where the 'options' feature is enabled is affected.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. The EPSS score of less than 1% indicates a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to submit a creation request that includes custom blueprint configuration. Because the attacker can manipulate the data sent during creation, the threat is to permit unauthorized creation of pages, files, or users with elevated permissions.

Generated by OpenCVE AI on April 28, 2026 at 23:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Kirby installation to at least version 4.9.0 for the 4.x line or 5.4.0 for the 5.x line, which contains the fixed blueprint filter.
  • Examine all custom blueprints and ensure that no dynamic configuration sets a 'create' => true flag for protected roles.
  • Restrict access to the content and user creation endpoints to trusted roles and apply network controls to reduce the attack surface.
  • Audit any plugins or extensions that may inject blueprint data during creation to confirm they do not re‑introduce the vulnerability.

Generated by OpenCVE AI on April 28, 2026 at 23:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6gqr-mx34-wh8r Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection
History

Mon, 27 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Getkirby
Getkirby kirby
CPEs cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*
Vendors & Products Getkirby
Getkirby kirby
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 24 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. Kirby provides the `pages.create`, `files.create` and `users.create` permissions (among others). These permissions can again be set in the user blueprint and/or in the blueprint of the target model via `options`. Prior to versions 4.9.0 and 5.4.0, Kirby allowed to override the `options` during the creation of pages, files and users by injecting custom dynamic blueprint configuration into the model data. The injected `options` could include `'create' => true`, which then caused an override of the permissions and options configured by the site developer in the user and model blueprints. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. The patched versions have updated the normalization code that is used during the creation of pages, files and users to include a filter for the `blueprint` property. This prevents the injection of dynamic blueprint configuration into the creation request.
Title Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Getkirby Kirby
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-24T12:11:41.783Z

Reserved: 2026-04-20T14:01:46.672Z

Link: CVE-2026-41325

cve-icon Vulnrichment

Updated: 2026-04-24T12:11:36.571Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T01:16:12.427

Modified: 2026-04-27T19:07:45.000

Link: CVE-2026-41325

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T00:00:13Z

Weaknesses