User Permission Flaw in Kirby CMS Affecting New Page Status Control
CVE-2026-34587

7.6HIGH

Key Information:

Vendor

Getkirby

Status
Kirby
Vendor
CVE Published:
24 April 2026

What is CVE-2026-34587?

A vulnerability in Kirby, an open-source content management system, allows authenticated users with specific permissions to create published pages directly via the REST API. In earlier versions, the CMS improperly handled user permissions during page creation, permitting the circumvention of the intended editorial workflow. This flaw specifically resulted from the 'changeStatus' permission not being enforced properly upon the initial creation of pages, leading to unauthorized published content. The issue has been resolved in versions 4.9.0 and 5.4.0, which improve the logic for user permission checks.

Affected Version(s)

kirby < 4.9.0 < 4.9.0

kirby >= 5.0.0, < 5.4.0 < 5.0.0, 5.4.0

References

https://github.com/getkirby/kirby/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/getkirby/kirby/releases/tag/4.9.0
x_refsource_MISC
https://github.com/getkirby/kirby/releases/tag/5.4.0
x_refsource_MISC

CVSS V4

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.