Access Control Vulnerability in Kirby CMS by GetKirby
CVE-2026-42137

7.1HIGH

Key Information:

Vendor

Getkirby

Status
Kirby
Vendor
CVE Published:
9 May 2026

What is CVE-2026-42137?

The Kirby CMS, a widely used open-source content management system, has been identified to have an access control vulnerability that can lead to unauthorized access to sensitive information. Prior to versions 4.9.0 and 5.4.0, the permissions for 'pages.access/list' and 'files.access/list' were inadequately checked within the Panel and REST API. This omission could potentially allow unprivileged users to view or manipulate resources they should not have access to. It is crucial for users of affected versions to upgrade to the latest versions to mitigate any risks associated with this vulnerability.

Affected Version(s)

kirby < 4.9.0 < 4.9.0

kirby >= 5.0.0, < 5.4.0 < 5.0.0, 5.4.0

References

https://github.com/getkirby/kirby/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/getkirby/kirby/releases/tag/4.9.0
x_refsource_MISC
https://github.com/getkirby/kirby/releases/tag/5.4.0
x_refsource_MISC

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.