User Permissions Vulnerability in Kirby CMS by GetKirby
CVE-2026-41325

7.1HIGH

Key Information:

Vendor

Getkirby

Status
Kirby
Vendor
CVE Published:
24 April 2026

What is CVE-2026-41325?

Kirby CMS, an open-source content management system, has a vulnerability related to user permissions that allows an attacker to override site developers' security settings. This issue occurs due to incorrect handling of the 'options' feature, which is meant to restrict user actions based on their roles. Prior to versions 4.9.0 and 5.4.0, the system failed to properly filter user-provided inputs during the creation of pages, files, and users. This flaw enabled unauthorized users to inject dynamic blueprint configurations, effectively granting themselves permissions that should have been restricted. The vulnerability has been addressed in the latest releases, which include updates to normalize the creation process and enforce stricter checks on the blueprint property.

Affected Version(s)

kirby < 4.9.0 < 4.9.0

kirby >= 5.0.0, < 5.4.0 < 5.0.0, 5.4.0

References

https://github.com/getkirby/kirby/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/getkirby/kirby/releases/tag/4.9.0
x_refsource_MISC
https://github.com/getkirby/kirby/releases/tag/5.4.0
x_refsource_MISC

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.