CVE-2026-21896
Missing Permission Checks in Kirby CMS Content Changes API
Publication date: 2026-01-08
Last updated on: 2026-02-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getkirby | kirby | From 5.0.0 (inc) to 5.2.1 (inc) |
| getkirby | kirby | 5.2.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21896 is a moderate severity vulnerability in Kirby CMS versions 5.0.0 through 5.2.1, caused by missing permission checks in the content changes API. This flaw allows users with low privileges who have Panel access to create, modify, or discard changes versions of content models (such as pages, users, files, or the site) without proper authorization. The vulnerability affects sites where user permissions have been customized to restrict write actions by disabling the update permission, but these restrictions were not enforced on changes versions. This can lead to unauthorized content modifications, malicious content insertion, editing locks that block legitimate users, or loss of legitimate changes. The issue was fixed in version 5.2.2 by adding explicit permission checks to enforce update permissions on changes versions. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers with low privileges and Panel access to perform unauthorized actions on content changes versions. They could maliciously create changes that lock editing for legitimate users, insert defamatory or malicious content that might later be published by authorized editors, or discard legitimate changes causing loss of work. These unauthorized modifications compromise the integrity of your site content and can disrupt normal content management workflows. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Kirby CMS installation is running a version between 5.0.0 and 5.2.1 and if user permissions have been customized to restrict update actions. Specifically, you should verify if unauthorized users can create, modify, or discard changes versions of content without proper update permissions. Since the issue involves missing permission checks in the content changes API, you can attempt to perform content changes operations (such as discarding or publishing changes versions) with a low-privilege user account to see if unauthorized actions are allowed. There are no specific commands provided in the resources, but you can test API endpoints related to content changes with different user roles to detect the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade your Kirby CMS installation to version 5.2.2 or later, where the issue has been fixed by adding explicit permission checks in the content changes API. Until you can upgrade, review and restrict user permissions carefully, especially ensuring that users without update permissions cannot access the content changes API. Additionally, monitor and audit user actions related to content changes to detect any unauthorized modifications. [2, 3]