Description
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0.
Published: 2026-05-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Kirby content management system lacks authorization checks for creating, replacing, or deleting user avatars. As a result, any authenticated user may alter another user's avatar without permission, enabling impersonation or defacement of user profiles. This flaw does not grant additional privileges or full access, but it can erode trust and hinder user identification.

Affected Systems

Versions of Kirby prior to 4.9.0 and 5.4.0 are affected. The vulnerability applies to the open-source Kirby CMS published under the getkirby:kirby vendor/product name.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No EPSS score is available and the flaw is not listed in CISA KEV. The likely attack path involves a normal authenticated user interacting with the avatar management endpoints, with no special network or privilege prerequisites inferred from the description.

Generated by OpenCVE AI on May 9, 2026 at 05:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kirby to the latest patch version 4.9.0 or 5.4.0, which includes authorization checks for avatar operations.
  • If an upgrade is not immediately possible, restrict the avatar upload, replace, and delete actions behind appropriate user‑update permissions or disable avatar management via configuration.
  • Enable and review logging of avatar‑management actions to detect unauthorized changes.

Generated by OpenCVE AI on May 9, 2026 at 05:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-39cp-6679-8xv2 Kirby CMS doesn't gate user avatar creation, replacement and deletion with user update permissions
History

Sat, 09 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Getkirby
Getkirby kirby
Vendors & Products Getkirby
Getkirby kirby

Sat, 09 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0.
Title Kirby: User avatar creation, replacement and deletion are not gated by user update permissions
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Getkirby Kirby
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T03:39:06.016Z

Reserved: 2026-04-25T01:53:21.582Z

Link: CVE-2026-42174

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T04:16:23.600

Modified: 2026-05-09T04:16:23.600

Link: CVE-2026-42174

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T06:00:12Z

Weaknesses