CVE-2026-42051
Information Disclosure in Kirby CMS
Publication date: 2026-05-09
Last updated on: 2026-05-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getkirby | kirby | to 4.9.0 (exc) |
| getkirby | kirby | From 5.0.0 (inc) to 5.4.0 (exc) |
| getkirby | kirby | to 5.3.3 (inc) |
| getkirby | kirby | 4.9.0 |
| getkirby | kirby | 5.4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42051 is a vulnerability in the Kirby CMS system where an API endpoint leaks sensitive information, including the installed version and license data, to authenticated users.
This happens because of missing authorization checks on the /api/system REST endpoint, allowing users with access to retrieve details they should not be able to view.
The issue affects Kirby versions 4.8.0 and below, as well as versions 5.0.0 through 5.3.3, and has been fixed in versions 4.9.0 and 5.4.0 by adding proper authorization checks.
How can this vulnerability impact me? :
The vulnerability allows authenticated users to access sensitive information such as license data and the installed version of the Kirby CMS.
Exposing this information can aid malicious actors in reconnaissance efforts, helping them plan further targeted attacks against the system.
While the vulnerability does not allow direct system compromise, leaking such details can increase the risk of exploitation by revealing system specifics.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Kirby CMS system API endpoint /api/system is accessible to authenticated users and whether it leaks license data and installed version information.
A practical approach is to authenticate to the Kirby CMS and send a request to the /api/system endpoint to see if sensitive information is returned.
- Use a command-line tool like curl to authenticate and query the endpoint, for example: curl -u username:password https://your-kirby-site.com/api/system
- Check the response for license data or version information that should not be exposed.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Kirby CMS to a patched version where this vulnerability is fixed.
- Upgrade to Kirby version 4.9.0 or later if you are using the 4.x branch.
- Alternatively, upgrade to Kirby version 5.4.0 or later if you are using the 5.x branch.
These versions include additional authorization checks on the /api/system endpoint to prevent unauthorized access to sensitive information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Kirby CMS leaks license data and installed version information to authenticated users due to missing authorization checks on the system API endpoint.
While the exposed information is sensitive and could be used for reconnaissance by attackers, there is no direct information in the provided context or resources about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.