Security Flaw in Kirby CMS Affects File Access Controls
CVE-2026-54004
6.3MEDIUM
What is CVE-2026-54004?
Kirby CMS, an open-source content management system, has a vulnerability that affects sites with content.fileRedirects enabled. This flaw allows unauthorized users to access files stored on top-level draft pages, bypassing page access permissions and preview tokens. As a result, sensitive draft file contents could be disclosed to unauthenticated requests. The issue has been resolved in versions 4.9.4 and 5.4.4.
Affected Version(s)
kirby < 4.9.4 < 4.9.4
kirby >= 5.0.0, < 5.4.4 < 5.0.0, 5.4.4
