CVE-2026-42069
Information Disclosure in Kirby CMS
Publication date: 2026-05-09
Last updated on: 2026-05-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getkirby | kirby | to 4.9.0|end_excluding=5.4.0 (exc) |
| getkirby | kirby | From 4.8.0 (inc) to 4.9.0 (exc) |
| getkirby | kirby | From 5.0.0 (inc) to 5.4.0 (exc) |
| getkirby | kirby | to 5.3.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42069 is a high-severity vulnerability in Kirby CMS versions 4.8.0 and below, as well as 5.0.0 to 5.3.3. The issue arises because read access to site, user, and role information is not properly restricted by permissions. Authenticated users with low privileges can read sensitive information without having the necessary authorization checks enforced.
Specifically, permissions such as site.access, user.access, users.access, user.list, and users.list were not enforced for read operations, allowing unauthorized data exposure. Write actions were already protected, so attackers cannot modify data, only read it. This vulnerability was patched in versions 4.9.0 and 5.4.0.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information such as site details, user data, and role information to attackers with low privileges. Although attackers cannot modify or write data, the exposure of this information can compromise privacy and security.
Such unauthorized data access could be leveraged for further attacks, social engineering, or gaining insights into the system's structure and user roles, increasing the risk of targeted attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves missing authorization checks in Kirby CMS versions 4.8.0 and below, as well as 5.0.0 to 5.3.3, allowing authenticated Panel users to read site, user, and role information without proper permissions.
Detection would involve verifying the version of Kirby CMS in use and checking if unauthorized read access to site, user, and role information is possible for low-privilege authenticated users.
Specific commands are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Kirby CMS to version 4.9.0 or 5.4.0 or later, where the missing authorization checks have been patched.
Until the upgrade can be performed, restrict authenticated Panel user access to trusted users only, as low-privilege users can exploit this vulnerability to read sensitive information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized read access to site, user, and role information due to missing permission checks in affected Kirby CMS versions. This unauthorized exposure of sensitive data could potentially lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over access to personal and sensitive information.
Since attackers with low privileges can access sensitive data without proper authorization, organizations using vulnerable versions of Kirby CMS might fail to meet the confidentiality and access control requirements mandated by these standards.
The issue has been patched in versions 4.9.0 and 5.4.0, so upgrading to these or later versions is necessary to restore compliance and reduce the risk of unauthorized data exposure.