CVE-2026-42069
Received Received - Intake
Information Disclosure in Kirby CMS

Publication date: 2026-05-09

Last updated on: 2026-05-18

Assigner: GitHub, Inc.

Description
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-09
Last Modified
2026-05-18
Generated
2026-06-19
AI Q&A
2026-05-09
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42069
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
getkirby kirby to 4.9.0 (exc)
getkirby kirby From 5.0.0 (inc) to 5.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42069 is a high-severity vulnerability in Kirby CMS versions 4.8.0 and below, as well as 5.0.0 to 5.3.3. The issue arises because read access to site, user, and role information is not properly restricted by permissions. Authenticated users with low privileges can read sensitive information without having the necessary authorization checks enforced.

Specifically, permissions such as site.access, user.access, users.access, user.list, and users.list were not enforced for read operations, allowing unauthorized data exposure. Write actions were already protected, so attackers cannot modify data, only read it. This vulnerability was patched in versions 4.9.0 and 5.4.0.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information such as site details, user data, and role information to attackers with low privileges. Although attackers cannot modify or write data, the exposure of this information can compromise privacy and security.

Such unauthorized data access could be leveraged for further attacks, social engineering, or gaining insights into the system's structure and user roles, increasing the risk of targeted attacks.

Detection Guidance

This vulnerability involves missing authorization checks in Kirby CMS versions 4.8.0 and below, as well as 5.0.0 to 5.3.3, allowing authenticated Panel users to read site, user, and role information without proper permissions.

Detection would involve verifying the version of Kirby CMS in use and checking if unauthorized read access to site, user, and role information is possible for low-privilege authenticated users.

Specific commands are not provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to upgrade Kirby CMS to version 4.9.0 or 5.4.0 or later, where the missing authorization checks have been patched.

Until the upgrade can be performed, restrict authenticated Panel user access to trusted users only, as low-privilege users can exploit this vulnerability to read sensitive information.

Compliance Impact

The vulnerability allows unauthorized read access to site, user, and role information due to missing permission checks in affected Kirby CMS versions. This unauthorized exposure of sensitive data could potentially lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Since attackers with low privileges can access sensitive data without proper authorization, organizations using vulnerable versions of Kirby CMS might fail to meet the confidentiality and access control requirements mandated by these standards.

The issue has been patched in versions 4.9.0 and 5.4.0, so upgrading to these or later versions is necessary to restore compliance and reduce the risk of unauthorized data exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42069. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart