CVE-2026-42051
Received Received - Intake
Information Disclosure in Kirby CMS

Publication date: 2026-05-09

Last updated on: 2026-05-18

Assigner: GitHub, Inc.

Description
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, the system API endpoint leaks license data and installed version to authenticated users. This issue has been patched in versions 4.9.0 and 5.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-09
Last Modified
2026-05-18
Generated
2026-06-19
AI Q&A
2026-05-09
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42051
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
getkirby kirby to 4.9.0 (exc)
getkirby kirby From 5.0.0 (inc) to 5.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Kirby CMS leaks license data and installed version information to authenticated users due to missing authorization checks on the system API endpoint.

While the exposed information is sensitive and could be used for reconnaissance by attackers, there is no direct information in the provided context or resources about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-42051 is a vulnerability in the Kirby CMS system where an API endpoint leaks sensitive information, including the installed version and license data, to authenticated users.

This happens because of missing authorization checks on the /api/system REST endpoint, allowing users with access to retrieve details they should not be able to view.

The issue affects Kirby versions 4.8.0 and below, as well as versions 5.0.0 through 5.3.3, and has been fixed in versions 4.9.0 and 5.4.0 by adding proper authorization checks.

Impact Analysis

The vulnerability allows authenticated users to access sensitive information such as license data and the installed version of the Kirby CMS.

Exposing this information can aid malicious actors in reconnaissance efforts, helping them plan further targeted attacks against the system.

While the vulnerability does not allow direct system compromise, leaking such details can increase the risk of exploitation by revealing system specifics.

Detection Guidance

This vulnerability can be detected by checking if the Kirby CMS system API endpoint /api/system is accessible to authenticated users and whether it leaks license data and installed version information.

A practical approach is to authenticate to the Kirby CMS and send a request to the /api/system endpoint to see if sensitive information is returned.

  • Use a command-line tool like curl to authenticate and query the endpoint, for example: curl -u username:password https://your-kirby-site.com/api/system
  • Check the response for license data or version information that should not be exposed.
Mitigation Strategies

The immediate mitigation step is to upgrade Kirby CMS to a patched version where this vulnerability is fixed.

  • Upgrade to Kirby version 4.9.0 or later if you are using the 4.x branch.
  • Alternatively, upgrade to Kirby version 5.4.0 or later if you are using the 5.x branch.

These versions include additional authorization checks on the /api/system endpoint to prevent unauthorized access to sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42051. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart