Security Flaw in Kirby CMS Affects File Access Controls
CVE-2026-54004

6.3MEDIUM

Key Information:

Vendor

Getkirby

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-54004?

Kirby CMS, an open-source content management system, has a vulnerability that affects sites with content.fileRedirects enabled. This flaw allows unauthorized users to access files stored on top-level draft pages, bypassing page access permissions and preview tokens. As a result, sensitive draft file contents could be disclosed to unauthenticated requests. The issue has been resolved in versions 4.9.4 and 5.4.4.

Affected Version(s)

kirby < 4.9.4 < 4.9.4

kirby >= 5.0.0, < 5.4.4 < 5.0.0, 5.4.4

References

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.