Description
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0.
Published: 2026-05-09
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Kirby CMS allows read access to sensitive site, user, and role information without enforcing any permissions. An attacker who can reach the public site can retrieve this data, potentially exposing usernames, roles, configuration settings, and other confidential details. This results in a confidentiality breach that could be leveraged in further attacks.

Affected Systems

All Kirby CMS installations running version 4.x prior to 4.9.0, or version 5.x prior to 5.4.0 are affected. The vulnerability is present in the open-source distribution distributed by getkirby:kirby.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. The EPSS score is unavailable, and the vulnerability is not listed in CISA KEV, suggesting no known widespread exploitation. The likely attack vector involves sending HTTP requests to exposed API endpoints that return site, user, or role data; this inference is based on the description that read access is unrestricted. Vulnerators can obtain confidential information without authentication, leading to a confidentiality breach.

Generated by OpenCVE AI on May 9, 2026 at 06:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kirby to version 4.9.0 or later, or 5.4.0 or later, to apply the vendor patch that enforces proper permission checks for site, user, and role data.
  • If an immediate upgrade is not feasible, restrict or block unauthenticated requests to the public API endpoints that expose site, user, or role data using application-level access controls or firewall rules.
  • Audit existing user roles and permissions, remove any unnecessary privileges, and ensure that only authorized users can access sensitive API endpoints, reinforcing the principle of least privilege.

Generated by OpenCVE AI on May 9, 2026 at 06:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2h7v-4372-f6x2 Kirby CMS's read access to site, user and role information is not gated by permissions
History

Sat, 09 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Getkirby
Getkirby kirby
Vendors & Products Getkirby
Getkirby kirby

Sat, 09 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0.
Title Kirby: Read access to site, user and role information is not gated by permissions
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Getkirby Kirby
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T03:37:05.930Z

Reserved: 2026-04-23T19:17:30.564Z

Link: CVE-2026-42069

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T04:16:22.297

Modified: 2026-05-09T04:16:22.297

Link: CVE-2026-42069

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T06:30:25Z

Weaknesses