Authorization Bypass in Kirby CMS Affects Open-Source Content Management System by GetKirby
CVE-2026-49274

5.3MEDIUM

Key Information:

Vendor

Getkirby

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-49274?

An authorization bypass vulnerability has been found in Kirby CMS, prior to versions 4.9.4 and 5.4.4. This flaw allows authenticated users to use the pages field with roles that lack the pages.access permission. Consequently, they could input an inaccessible parent page or site in the backend page picker, thereby confirming the existence of arbitrary pages and retrieving their title field values. This could potentially lead to sensitive information leakage. The issue has been addressed in the following versions: 4.9.4 and 5.4.4.

Affected Version(s)

kirby < 4.9.4 < 4.9.4

kirby >= 5.0.0, < 5.4.4 < 5.0.0, 5.4.4

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.