Description
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, the system API endpoint leaks license data and installed version to authenticated users. This issue has been patched in versions 4.9.0 and 5.4.0.
Published: 2026-05-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an authenticated user to retrieve sensitive license data and the installed version of the Kirby CMS via the system API endpoint. This flaw does not compromise code execution or remote access, but exposes internal configuration details that could assist an attacker in tailoring subsequent attacks. The weakness is a permission-check failure, matching CWE‑862. The impact is limited to information disclosure and does not immediately affect confidentiality or integrity beyond leaking configuration data.

Affected Systems

Kirby CMS from getkirby:kirby is affected. Versions released before 4.9.0 and before 5.4.0 contain the flaw; versions 4.9.0 and 5.4.0 include the fix.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity for the disclosed data. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, implying no known public exploits. The attack requires authenticated access to the CMS, which the affected user already possesses for normal operations. Once authenticated, an attacker can easily access the system API to obtain the license information and CMS version, providing useful context for further targeted attacks.

Generated by OpenCVE AI on May 9, 2026 at 05:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kirby to version 4.9.0 or 5.4.0 or newer.
  • Restrict or disable the system API endpoint for users without explicit need.
  • Monitor system logs for unauthorized API access attempts.

Generated by OpenCVE AI on May 9, 2026 at 05:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x68m-c7jf-2572 Kirby CMS's system API endpoint leaks installed version and license data to authenticated users
History

Sat, 09 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Getkirby
Getkirby kirby
Vendors & Products Getkirby
Getkirby kirby

Sat, 09 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, the system API endpoint leaks license data and installed version to authenticated users. This issue has been patched in versions 4.9.0 and 5.4.0.
Title Kirby: System API endpoint leaks license data and installed version to authenticated users
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Getkirby Kirby
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T03:37:42.707Z

Reserved: 2026-04-23T16:05:01.710Z

Link: CVE-2026-42051

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T04:16:22.110

Modified: 2026-05-09T04:16:22.110

Link: CVE-2026-42051

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T05:30:16Z

Weaknesses