Authorization Bypass in Kirby CMS Affects Open-Source Content Management System by GetKirby
CVE-2026-49274
5.3MEDIUM
What is CVE-2026-49274?
An authorization bypass vulnerability has been found in Kirby CMS, prior to versions 4.9.4 and 5.4.4. This flaw allows authenticated users to use the pages field with roles that lack the pages.access permission. Consequently, they could input an inaccessible parent page or site in the backend page picker, thereby confirming the existence of arbitrary pages and retrieving their title field values. This could potentially lead to sensitive information leakage. The issue has been addressed in the following versions: 4.9.4 and 5.4.4.
Affected Version(s)
kirby < 4.9.4 < 4.9.4
kirby >= 5.0.0, < 5.4.4 < 5.0.0, 5.4.4
