Executive Summary

CVE-2026-42137 is a vulnerability in Kirby CMS versions 4.8.0 and below, as well as 5.0.0 to 5.3.3, where the `pages.access/list` and `files.access/list` permissions are not consistently enforced in the Panel and REST API.

This flaw allows authenticated users to view pages or files they are not authorized to access, potentially exposing sensitive information.

The issue occurs because user roles with restricted permissions for listing or accessing pages/files are not properly filtered in certain interfaces like the changes dialog, REST API responses, or file/image listings.

The vulnerability has been patched in Kirby versions 4.9.0 and 5.4.0 by adding additional permission checks to enforce the `isListable()` method consistently.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing authenticated users with low privileges to access pages or files they should not be able to see.

The primary impact is unauthorized information disclosure, which means sensitive or restricted content could be exposed to users without proper permissions.

Exploitation does not require user interaction and can be done remotely via the Panel or REST API, but it does not allow unauthorized write actions.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves inconsistent enforcement of `pages.access/list` and `files.access/list` permissions in Kirby CMS versions prior to 4.9.0 and 5.4.0. Detection involves verifying if unauthorized users can access pages or files they should not be able to view via the Panel or REST API.

To detect this on your system, you can attempt to authenticate as a low-privilege user and try to list or access pages and files that should be restricted. Specifically, test the following:

• Use the REST API endpoints related to pages and files listing to see if restricted content is accessible.
• Check the Panel interface, especially dialogs like the changes dialog or file/image listings, to verify if unauthorized content is visible.

Example commands (replace URL and credentials accordingly):

• curl -u lowprivuser:password https://your-kirby-site.com/api/pages -v
• curl -u lowprivuser:password https://your-kirby-site.com/api/files -v

If these commands return pages or files that the user role should not have access to, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Kirby CMS to a patched version where this vulnerability is fixed.

• Upgrade to Kirby version 4.9.0 or later if you are on the 4.x branch.
• Upgrade to Kirby version 5.4.0 or later if you are on the 5.x branch.

These versions include consistent enforcement of the `pages.access/list` and `files.access/list` permissions, preventing unauthorized information disclosure.

Until you can upgrade, restrict access to the Panel and REST API to trusted users only, and review user roles to minimize exposure.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows authenticated users to view pages or files they are not authorized to access, potentially exposing sensitive information.

Such unauthorized disclosure of sensitive data could lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.

Therefore, until patched, this flaw may increase the risk of violating these compliance requirements due to improper enforcement of access permissions.

Useful 0 Not Useful 0