Description
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0.
Published: 2026-05-09
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because Kirby's REST API and back‑end panel do not enforce permissions consistently on the pages.access/list and files.access/list endpoints. Based on the description, it is inferred that attackers who can reach these URLs—whether through a normal authenticated session or via an exposed API endpoint—can retrieve full listings of pages or files that they normally would not be allowed to view. This bypasses the intended authorization controls (CWE‑862, CWE‑863) and can expose sensitive content and aid further exploitation.

Affected Systems

The issue affects the open‑source Kirby Content Management System distributed by getkirby. All installations running a version earlier than 4.9.0 (including the 4.x series) and earlier than 5.4.0 (including the 5.x series) are vulnerable. The fix is included in releases 4.9.0 and 5.4.0.

Risk and Exploitability

The CVSS base score of 7.1 indicates a high severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the vulnerability can be exploited remotely via the web interface or REST API by any user who can reach the endpoints, even if the user has only basic authenticated access. Once accessed, the attacker could enumerate site structure and files, potentially facilitating additional attacks.

Generated by OpenCVE AI on May 9, 2026 at 06:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Kirby release (4.9.0 or later, or 5.4.0 or later) to remove the inconsistent permission checks.
  • If immediate upgrade is not possible, temporarily block or disable the pages.access/list and files.access/list endpoints in the Panel by editing the configuration to hide those actions.
  • Configure Kirby’s role settings so that the pages.access/list and files.access/list actions are assigned only to administrators, ensuring that non‑admin users cannot invoke these endpoints.

Generated by OpenCVE AI on May 9, 2026 at 06:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-85x2-r8xv-ww8c Kirby CMS's `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API
History

Sat, 09 May 2026 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Getkirby
Getkirby kirby
Vendors & Products Getkirby
Getkirby kirby

Sat, 09 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0.
Title Kirby: `pages.access/list` and `files.access/list` permissions are not consistently checked in the REST API and changes dialog
Weaknesses CWE-862
CWE-863
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Getkirby Kirby
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T03:38:35.474Z

Reserved: 2026-04-24T17:15:21.833Z

Link: CVE-2026-42137

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T04:16:22.653

Modified: 2026-05-09T04:16:22.653

Link: CVE-2026-42137

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T08:00:06Z

Weaknesses