Permission Checking Flaw in Kirby CMS Versions 5.0.0 to 5.2.1
CVE-2026-21896

5.8MEDIUM

Key Information:

Vendor

Getkirby

Status
Kirby
Vendor
CVE Published:
8 January 2026

What is CVE-2026-21896?

A critical flaw exists in Kirby, an open-source content management system, affecting versions 5.0.0 to 5.2.1, due to the absence of necessary permission checks within the content changes API. This vulnerability can allow users with specific roles to perform write actions, bypassing intended restrictions. If permission configurations are altered to prevent writing, this issue can significantly compromise the integrity of the site. This flaw particularly affects websites that have customized user permissions systems. Users are advised to upgrade to version 5.2.2, which includes a patch addressing this vulnerability.

Affected Version(s)

kirby >= 5.0.0, < 5.2.2

References

https://github.com/getkirby/kirby/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/getkirby/kirby/commit/f5ce1347b427b819...
x_refsource_MISC
https://github.com/getkirby/kirby/releases/tag/5.2.2
x_refsource_MISC

CVSS V4

Score:
5.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.